CVE-2025-28168

{"id": "CVE-2025-28168", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.1}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-05-05T14:15:28.500", "references": [{"url": "https://gist.github.com/IamLeandrooooo/01090be3023f5e7c7397bb9b1f5505b9", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.outsystems.com/forge/component-overview/200/multiple-file-upload-o11", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-602"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems."}, {"lang": "es", "value": "La versi\u00f3n anterior a la 3.1.0 de Outsystems Multiple File Upload es vulnerable a la carga de archivos sin restricciones. Esta vulnerabilidad se debe a que las validaciones de extensi\u00f3n y tama\u00f1o de archivo se aplican \u00fanicamente en el lado del cliente. Un atacante puede interceptar la solicitud de carga y modificar el par\u00e1metro para eludir las restricciones de extensi\u00f3n y cargar archivos arbitrarios."}], "lastModified": "2025-06-17T14:15:20.720", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:multiple_file_upload_project:multiple_file_upload:3.1.0:*:*:*:*:outsystems:*:*", "vulnerable": true, "matchCriteriaId": "7FC6134C-BD60-43D3-A3C7-C2FB4740B03D"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}