VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 4, 2024· Updated Jun 3, 2025

Stored XSS in class.upload.php

CVE-2023-6551

Description

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used.

Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension.

The README has been updated to include these guidelines.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
verot/class.upload.phpPackagist
<= 2.1.6

Affected products

1

Patches

1
befbccc2330b

Add a warning about security (CVE-2023-6551)

https://github.com/verot/class.upload.phpColin VerotDec 6, 2023via ghsa
commit
2 files changed · +20 1
  • README.md+17 0 modified
    @@ -168,6 +168,23 @@ echo $handle->process();
 die();
 ```
 
+### Warning about security 
+
+By default, the class relies on MIME type detection to assess whether the file can be uploaded or not. Several MIME type detection methods are used, depending on the server configuration. The class relies on a blacklist of dangerous file extensions to prevent uploads (or to rename dangerous scripts as text files), as well as a whitelist of accepted MIME types.
+
+But it is not the purpose of this class to do in-depth checking and heuristics to attempt to detect maliciously crafted files. For instance, an attacker can craft a file that will have the correct MIME type, but will carry a malicious payload, such as a valid GIF file which would contain some code leading to a XSS vulnerability. If this GIF file has a .html extension, it may be uploaded (depending on the class's settings) and display an XSS vulnerability. 
+
+However, you can mitigate this by restricting the kind of files that can be uploaded, using `allowed` and `forbidden`, to whitelist and blacklist files depending on their MIME type or extension. *The most secure option would be to only whitelist extensions that you want to allow through, and then making sure that your server always serves the file with the content-type based on the file extension.* 
+
+For instance, if you only want to allow one type of file, you could whitelist only its file extension. In the following example, only .html files are let through, and are not converted to a text file:
+```php
+$handle->allowed   = array('html');
+$handle->forbidden = array();
+$handle->no_script = false;
+```
+
+In the end, it is your responsibility to make sure the correct files are uploaded. But more importantly, it is your responsibility to serve the uploaded files correctly, for instance by forcing the server to always provide the content-type based on the file extension.
+
 
 ### Troubleshooting
  • src/class.upload.php+3 1 modified
    @@ -1892,6 +1892,8 @@ function init() {
             'bat',
             'phar',
             'wsdl',
+            'html',
+            'htm',
         );
         
         $this->forbidden = array_merge($this->dangerous, array(
@@ -2118,7 +2120,7 @@ function  __construct($file, $lang = 'en_GB')  {
      */
     function upload($file, $lang = 'en_GB') {
 
-        $this->version            = '17/11/2023';
+        $this->version            = '07/12/2023';
 
         $this->file_src_name      = '';
         $this->file_src_name_body = '';

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.