2 matches found
CVE-2020-26174
tangro Business Workflow before 1.18.1 requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list. However, this restriction is enforced in the browser client-side and can be circumvented. This allows an attacker to upload any file as an...
CVE-2020-26174
CVE-2020-26174 affects tangro Business Workflow prior to 1.18.1. The issue stems from a client-side only whitelist of allowed filetypes for uploads; the server-side enforcement is missing, allowing an attacker to upload any file as an attachment to a work item. No exploitation details are provide...