Potential security risk in <Import Data> feature
The file upload used in the [Import Data] feature in the Settings interface does not limit the file extensions to .episerverdata only. Other file extensions can be uploaded (including files in a zipped file, which may pose security threat to the platform. Specially, when uploading a zipped antivirus test file, the system will display <Import successful>.
Allowing an undesirable or malicious file to reside on a system—even if it is not immediately executed or processed—constitutes a security vulnerability in itself. "Unrestricted upload of file with dangerous type" is formally documented as a common weakness under CWE-434, highlighting that simply permitting such files onto a system can lead to future exploits, regardless of whether the file is executed immediately. Attackers often leverage this "foot in the door" to trigger the file at a later time or wait for an unsuspecting user or automated routine to open or invoke the file.
Danny Chang
shared this idea