VYPR
← All advisories
High severityNVD Advisory· Published Feb 5, 2020· Updated Aug 4, 2024

Relative Path Traversal in oneup/uploader-bundle

CVE-2020-5237

Description

Multiple relative path traversal vulnerabilities in the oneup/uploader-bundle before 1.9.3 and 2.1.5 allow remote attackers to upload, copy, and modify files on the filesystem (potentially leading to arbitrary code execution) via the (1) filename parameter to BlueimpController.php; the (2) dzchunkindex, (3) dzuuid, or (4) filename parameter to DropzoneController.php; the (5) qqpartindex, (6) qqfilename, or (7) qquuid parameter to FineUploaderController.php; the (8) x-file-id or (9) x-file-name parameter to MooUploadController.php; or the (10) name or (11) chunk parameter to PluploadController.php. This is fixed in versions 1.9.3 and 2.1.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-5237: Multiple relative path traversal flaws in OneupUploaderBundle allow arbitrary file upload and modification, risking code execution.

Vulnerability

Description

Multiple relative path traversal vulnerabilities exist in the OneupUploaderBundle for Symfony, affecting versions before 1.9.3 and 2.1.5. The bundle processes file uploads from various frontends (Blueimp, Dropzone, FineUploader, etc.) but fails to validate user-supplied parameters used to construct temporary file paths [1][2]. Specifically, parameters such as filename, dzchunkindex, dzuuid, qqpartindex, qqfilename, x-file-id, name, and chunk are not sanitized, allowing an attacker to inject directory traversal sequences like ../ [2].

Attack

Vector and Exploitation

An attacker with legitimate access to the upload functionality can craft HTTP requests containing path traversal sequences in the vulnerable parameters. For example, by manipulating the qqfilename parameter, the uploaded file chunks can be stored in arbitrary directories outside the intended temporary folder [2]. The exploit requires no authentication beyond being able to use the upload endpoint, and the attacker can control which files are uploaded and where they are placed [3].

Impact

Successful exploitation enables an attacker to upload, copy, modify, or delete files anywhere on the filesystem that the web server user can write to. This could lead to arbitrary code execution by overwriting PHP files in the web root, denial of service by corrupting essential files, or disclosure of sensitive information by copying protected files to publicly accessible locations [1][2].

Mitigation

The vulnerability is fixed in versions 1.9.3 and 2.1.5 of the bundle. The patch introduces input validation by casting chunk indexes to integers and sanitizing UUIDs with basename() to prevent path traversal [3]. All users are strongly advised to upgrade immediately. No workarounds have been published for vulnerable versions.

References
  1. NVD - CVE-2020-5237
  2. https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-003.txt
  3. Merge pull request from GHSA-x8wj-6m73-gfqp · 1up-lab/OneupUploaderBundle@a601144

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
oneup/uploader-bundlePackagist
>= 2.0.0, < 2.1.52.1.5
oneup/uploader-bundlePackagist
>= 1.0.0, < 1.9.31.9.3

Affected products

3

Patches

1
a6011449b716

Merge pull request from GHSA-x8wj-6m73-gfqp

https://github.com/1up-lab/OneupUploaderBundleDavid GremingerFeb 4, 2020via ghsa
commit
6 files changed · +24 6
  • Controller/DropzoneController.php+2 2 modified
    @@ -42,8 +42,8 @@ public function upload()
     protected function parseChunkedRequest(Request $request)
     {
         $totalChunkCount = $request->get('dztotalchunkcount');
-        $index = $request->get('dzchunkindex');
-        $last = ((int) $index + 1) === (int) $totalChunkCount;
+        $index = (int) $request->get('dzchunkindex');
+        $last = ($index + 1) === (int) $totalChunkCount;
         $uuid = $request->get('dzuuid');
 
         /**
  • Controller/FineUploaderController.php+3 3 modified
    @@ -40,11 +40,11 @@ public function upload()
 
     protected function parseChunkedRequest(Request $request)
     {
-        $index = $request->get('qqpartindex');
-        $total = $request->get('qqtotalparts');
+        $index = (int) $request->get('qqpartindex');
+        $total = (int) $request->get('qqtotalparts');
         $uuid = $request->get('qquuid');
         $orig = $request->get('qqfilename');
-        $last = ((int) $total - 1) === (int) $index;
+        $last = ($total - 1) === $index;
 
         return [$last, $uuid, $index, $orig];
     }
  • Controller/PluploadController.php+1 1 modified
    @@ -35,7 +35,7 @@ protected function parseChunkedRequest(Request $request)
         $session = $this->container->get('session');
 
         $orig = $request->get('name');
-        $index = $request->get('chunk');
+        $index = (int) $request->get('chunk');
         $last = (int) $request->get('chunks') - 1 === (int) $request->get('chunk');
 
         // it is possible, that two clients send a file with the
  • Uploader/Chunk/Storage/FilesystemStorage.php+6 0 modified
    @@ -38,6 +38,9 @@ public function clear($maxAge)
 
     public function addChunk($uuid, $index, UploadedFile $chunk, $original)
     {
+        // Prevent path traversal attacks
+        $uuid = basename($uuid);
+
         $filesystem = new Filesystem();
         $path = sprintf('%s/%s', $this->directory, $uuid);
         $name = sprintf('%s_%s', $index, $original);
@@ -106,6 +109,9 @@ public function cleanup($path)
 
     public function getChunks($uuid)
     {
+        // Prevent path traversal attacks
+        $uuid = basename($uuid);
+
         $finder = new Finder();
         $finder
             ->in(sprintf('%s/%s', $this->directory, $uuid))->files()->sort(function (\SplFileInfo $a, \SplFileInfo $b) {
  • Uploader/Chunk/Storage/FlysystemStorage.php+6 0 modified
    @@ -65,6 +65,9 @@ public function clear($maxAge, $prefix = null)
 
     public function addChunk($uuid, $index, UploadedFile $chunk, $original)
     {
+        // Prevent path traversal attacks
+        $uuid = basename($uuid);
+
         $this->unhandledChunk = [
             'uuid' => $uuid,
             'index' => $index,
@@ -136,6 +139,9 @@ public function cleanup($path)
 
     public function getChunks($uuid)
     {
+        // Prevent path traversal attacks
+        $uuid = basename($uuid);
+
         return $this->filesystem->listFiles($this->prefix.'/'.$uuid);
     }
  • Uploader/Chunk/Storage/GaufretteStorage.php+6 0 modified
    @@ -98,6 +98,9 @@ public function clear($maxAge, $prefix = null)
      */
     public function addChunk($uuid, $index, UploadedFile $chunk, $original)
     {
+        // Prevent path traversal attacks
+        $uuid = basename($uuid);
+
         $this->unhandledChunk = [
             'uuid' => $uuid,
             'index' => $index,
@@ -170,6 +173,9 @@ public function cleanup($path)
 
     public function getChunks($uuid)
     {
+        // Prevent path traversal attacks
+        $uuid = basename($uuid);
+
         $results = $this->filesystem->listKeys($this->prefix.'/'.$uuid);
 
         /* exclude files without an index, so if there is a completed file which

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.