CVE-2023-6551 Information

Description

As a simple library class.upload.php does not perform an in-depth check on uploaded files allowing a stored XSS vulnerability when the default configuration is used.

Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension.

The README has been updated to include these guidelines.

Reference

https://cert.pl/posts/2024/01/CVE-2023-6551 https://cert.pl/en/posts/2024/01/CVE-2023-6551