Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.

The consequences of unrestricted file upload can vary, including

• complete system takeover
• an overloaded file system or database
• forwarding attacks to back-end systems
• client-side attacks
• simple defacement.

It depends on what the application does with the uploaded file and especially where it is stored.

• Unrestricted File Upload
• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H