Skip to Main Content
Customer Feedback

We love feedback from you on our products and the problems in your daily work that you would like us to solve. Please describe the challenge you're encountering and your desired outcome. Be as detailed as possible.

For technical issues or bugs please head to Support or our Developer Community. You can assign up to 20 votes in total. Thank you for your feedback.

Status explanation: 'Future Consideration' = Continuing to collect further feedback, not planned at this time. 'Investigating' = Prioritized for deeper customer and feasibility investigations ahead of planning development.

Categories Roles and Security
Created by Guest
Created on Dec 23, 2024

Potential security risk in <Import Data> feature

The file upload used in the [Import Data] feature in the Settings interface does not limit the file extensions to .episerverdata only. Other file extensions can be uploaded (including files in a zipped file), which may pose security threat to the platform. Specially, when uploading a zipped antivirus test file, the system will display <Import successful>.

Allowing an undesirable or malicious file to reside on a system—even if it is not immediately executed or processed—constitutes a security vulnerability in itself. “Unrestricted upload of file with dangerous type” is formally documented as a common weakness under CWE-434, highlighting that simply permitting such files onto a system can lead to future exploits, regardless of whether the file is executed immediately. Attackers often leverage this “foot in the door” to trigger the file at a later time or wait for an unsuspecting user or automated routine to open or invoke the file.