CVE-2018-9207: Arbitrary file upload

November 19, 2018 (updated December 18, 2018)

The code in php/upload.php does not check for a file type or for requiring any authentication allowing a user to upload an executable file to the /uploads/ directory if it exists.

References

www.vapidlabs.com/advisory.php?v=206

Code Behaviors & Features

Detect and mitigate CVE-2018-9207 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →