Unrestricted Image Upload in causefx/organizr


Reported on

Apr 15th 2022


When testing file upload function in Organizr (2.1.1830), there are improvement on image upload features in Image Manager. But user can bypass it by identify double extension file type method

Proof of Concept

  1. Login and go to Settings -> Image Manager
  2. Upload file with double extension jpg/png ** test on php & svg file


  1. version
  2. burp
  3. file upload


This is not the security issues since all those file uploaded being tested cannot be execute. This flaws allow user to upload another file that no need for the application.

We are processing your report and will contact the causefx/organizr team within 24 hours. a year ago
causefx validated this vulnerability a year ago
din has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


i will move over to mime type checking....

a year ago


Thanks for validating this

We have sent a fix follow up to the causefx/organizr team. We will try again in 7 days. a year ago
causefx marked this as fixed in 2.1.1840 with commit 513aec a year ago
causefx has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation