CVE-2025-28168
published 2025-05-05CVE-2025-28168: The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.28%
19.6th percentile
The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| multi_uploaders | multiple_file_upload | < 3.1.0 | 3.1.0 |
| multiple_file_upload_project | multiple_file_upload | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x9rr-xwxc-jcjf: Outsystems Multiple File Upload < 3
ghsa_unreviewed·2025-05-05
CVE-2025-28168 [MEDIUM] CWE-434 GHSA-x9rr-xwxc-jcjf: Outsystems Multiple File Upload < 3
Outsystems Multiple File Upload < 3.1.0 is vulnerable to Unrestricted File Upload. The vulnerability is because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify the parameter to bypass extension restrictions and upload arbitrary files.
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Platform (Apache FOP) — CVE-2024-28168
vendor_oracle·2025-10-15·CVSS 7.5
CVE-2024-28168 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: Platform (Apache FOP) — CVE-2024-28168
Oracle Oracle Financial Services Applications Risk Matrix: Platform (Apache FOP) vulnerability
CVE: CVE-2024-28168
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2025 (OCT 2025)
Oracle
Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (Apache FOP) — CVE-2024-28168
vendor_oracle·2025-07-15·CVSS 7.5
CVE-2024-28168 [HIGH] Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (Apache FOP) — CVE-2024-28168
Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (Apache FOP) vulnerability
CVE: CVE-2024-28168
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Oracle
Oracle Oracle Communications Applications Risk Matrix: Print Preview (Apache FOP) — CVE-2024-28168
vendor_oracle·2025-04-15·CVSS 7.5
CVE-2024-28168 [HIGH] Oracle Oracle Communications Applications Risk Matrix: Print Preview (Apache FOP) — CVE-2024-28168
Oracle Oracle Communications Applications Risk Matrix: Print Preview (Apache FOP) vulnerability
CVE: CVE-2024-28168
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2025 (APR 2025)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-05
Published