CVE-2024-0916: Php Uvdesk Uploadfile Rename Defaults False
The uploadFile() method declares a rename/sanitize flag parameter (e.g., $renameFile) that defaults to false. Callers that don't explicitly pass true will keep the attacker-controlled client filename verbatim, including dangerous extensions like .php. This enables Unrestricted File Upload (CWE-434) leading to RCE when files land under a web-served directory.
greprules fetch cve-2024-0916-php-uvdesk-uploadfile-rename-defaults-false --engine opengrepDescription
The uploadFile() method declares a rename/sanitize flag parameter (e.g., $renameFile) that defaults to false. Callers that don't explicitly pass true will keep the attacker-controlled client filename verbatim, including dangerous extensions like .php. This enables Unrestricted File Upload (CWE-434) leading to RCE when files land under a web-served directory.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.