Description
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
Remediation
References
Related Vulnerabilities
Apache Denial of service in mod_lua r:parsebody Vulnerability (CVE-2022-29404)
Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-34008)
WordPress Plugin Video.js-HTML5 Video Player for Wordpress Cross-Site Scripting (3.2.3)
WordPress Ultimate Member Plugin Improper Privilege Management Vulnerability (CVE-2020-36156)