Summary
When uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked.
Details
When uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executable file renamed to be a .jpg. This file could then be executed by another security vulnerability.
This is a relatively minor issue unless combined with other vulnerabilities.
mwigley-trilogy Remediation developer
bdukes Remediation reviewer
valadas Remediation reviewer
mitchelsellers Remediation reviewer
Summary
When uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked.
Details
When uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executable file renamed to be a .jpg. This file could then be executed by another security vulnerability.
This is a relatively minor issue unless combined with other vulnerabilities.