/

Unrestricted Image Upload in causefx/organizr

Valid

Reported on

Apr 15th 2022

Description

When testing file upload function in Organizr (2.1.1830), there are improvement on image upload features in Image Manager. But user can bypass it by identify double extension file type method

Proof of Concept

Login and go to Settings -> Image Manager
Upload file with double extension jpg/png ** test on php & svg file

Screenshot

Impact

This is not the security issues since all those file uploaded being tested cannot be execute. This flaws allow user to upload another file that no need for the application.

We are processing your report and will contact the causefx/organizr team within 24 hours. a year ago

causefx validated this vulnerability a year ago

din has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Maintainer

i will move over to mime type checking....

commented a year ago

Researcher

Thanks for validating this

We have sent a fix follow up to the causefx/organizr team. We will try again in 7 days. a year ago

causefx marked this as fixed in 2.1.1840 with commit 513aec a year ago

causefx has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the causefx/organizr team within 24 hours. a year ago

causefx validated this vulnerability a year ago

din has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Maintainer

i will move over to mime type checking....

commented a year ago

Researcher

Thanks for validating this

We have sent a fix follow up to the causefx/organizr team. We will try again in 7 days. a year ago

causefx marked this as fixed in 2.1.1840 with commit 513aec a year ago

causefx has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation