CVE-2023-6551: Improper Input Validation

January 4, 2024

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used.

Developers must be aware of that fact and use extension allow listing accompanied by forcing the server to always provide content-type based on the file extension.

The README has been updated to include these guidelines.

References

cert.pl/en/posts/2024/01/CVE-2023-6551
cert.pl/posts/2024/01/CVE-2023-6551
github.com/advisories/GHSA-v6f4-jwv9-682w
github.com/verot/class.upload.php/commit/befbccc2330b0ccb148fc87495896bd7b57f8c57
nvd.nist.gov/vuln/detail/CVE-2023-6551

Detect and mitigate CVE-2023-6551 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →