Larry Cashdollar, a Senior Security Response Engineer at Akamai, publicly disclosed the details of a vulnerability in the jQuery-File-Upload plugin (CVE-2018-9206).
The vulnerability does not require validation to upload files to the server and thus can be abused to upload web shells and/or backdoors on to the server.
What is most worrying about this vulnerability is that it has been actively exploited for years. It is not currently known exactly how long this vulnerability has been known to black hat hackers. However there have been YouTube videos detailing the exploitation of the vulnerability dated back as far as 2015.
Currently, remediation of this vulnerability will be difficult as the code responsible for the vulnerability has been incorporated throughout many products.
Because the code may be deeply ingrained in complex products such as blogging platforms, enterprise software, and customer relationship management software, experts warn that it may take years to identify the full impact.
To stay up to date on other threats and vulnerabilities our team has found, you can read our latest blog posts.