CVE-2025-28168

Published: May 5, 2025Modified: Sep 30, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.

Affected (1)

Products: Multiple File Upload Project: Multiple File Upload

Multiple File Upload Project

1 product

Multiple File Upload

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Multiple File Upload Project Multiple File Upload	Version 3.1.0

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Client-Side Enforcement of Server-Side Security

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

References (2)

https://gist.github.com/IamLeandrooooo/01090be3023f5e7c7397bb9b1f5505b9

Source: cve@mitre.org

Third Party Advisory

https://www.outsystems.com/forge/component-overview/200/multiple-file-upload-o11

Source: cve@mitre.org

Product

Timeline

No history available yet.