Outsystems
CVE-2020-29441
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being processed asynchronously, or deny access to legitimate uploaded files.
AnalysisAI
An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. An issue was discovered in the Upload Widget in OutSystems Platform 10 before 10.0.1019.0. An unauthenticated attacker can upload arbitrary files. In some cases, this attack may consume the available database space (Denial of Service), corrupt legitimate data if files are being processed asynchronously, or deny access to legitimate uploaded files. Affected products include: Outsystems. Version information: before 10.0.1019.0..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
More in Outsystems
View allOutSystems Platform 10 through 11 allows ImageResourceDetail.aspx CSRF for content modifications and file uploads. Rated
The ECT Provider component in OutSystems Platform Server 10 before 10.0.1104.0 and 11 before 11.9.0 (and LifeTime manage
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today