Posted by Portcullis Advisories on Sep 25

Vulnerability title: Arbitrary File Upload In X2Engine Inc. X2Engine
CVE: CVE-2015-5074
Vendor: X2Engine Inc.
Product: X2Engine
Affected version: 4.2
Fixed version: 5.2
Reported by: Simone Quatrini
Details:

It was discovered that authenticated users were able to upload files of any type providing that the file did not have
an extension that was listed in the following blacklist:

const EXT_BLACKLIST =…