Miggo Logo

CVE-2014-8739: jQuery File Upload Plugin Unrestricted file upload vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.98994%
Published
5/17/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
blueimp/jquery-file-uploadcomposer= 6.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the file upload handler in UploadHandler.php failing to enforce proper file type validation. Multiple exploit references and the CWE-434 classification confirm this is an unrestricted file upload issue. The critical file path (server/php/UploadHandler.php) is explicitly mentioned in vulnerability descriptions, and the attack vector involves direct upload/execution of PHP files via this component. While the exact function name isn't explicitly stated in advisories, 'handleFileUpload' is the standard entry point for file processing in jQuery File Upload's architecture, making it the most likely vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unr*stri*t** *il* uplo** vuln*r**ility in `s*rv*r/p*p/Uplo****n*l*r.p*p` in t** jQu*ry *il* Uplo** Plu*in *.*.* *or jQu*ry, *s us** in t** *r**tiv* Solutions *r**tiv* *ont**t *orm (*orm*rly S*xy *ont**t *orm) ***or* *.*.* *or Wor*Pr*ss *n* ***or* *.*

Reasoning

T** vuln*r**ility st*ms *rom t** *il* uplo** **n*l*r in `Uplo****n*l*r.p*p` **ilin* to *n*or** prop*r *il* typ* v*li**tion. Multipl* *xploit r***r*n**s *n* t** *W*-*** *l*ssi*i**tion *on*irm t*is is *n unr*stri*t** *il* uplo** issu*. T** *riti**l *il