VulnerableCode Vulnerability Details - VCID-bq83-tngb-yfhw

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-bq83-tngb-yfhw

Essentials
Severities (3)
References (4)
Severity details (3)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-bq83-tngb-yfhw
Aliases	GHSA-5vv7-j593-mgjc
Summary	Neos Flow Arbitrary file upload and XML External Entity processing It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …). Note: The upload of files is only possible if the application built on Flow provides means to do so, and whether or not the upload of files poses a risk is dependent on the system setup. If uploaded script files are not executed by the server, there is no risk. In versions prior to 3.0.0 the upload of files with the extension php was blocked. In Flow 2.3.0 to 2.3.6 a potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2015-11-23.yaml
generic_textual	MODERATE	https://github.com/neos/flow
generic_textual	MODERATE	https://www.neos.io/blog/flow-sa-2015-001.html

Reference id	Reference type	URL
		https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2015-11-23.yaml
		https://github.com/neos/flow
		https://www.neos.io/blog/flow-sa-2015-001.html
GHSA-5vv7-j593-mgjc		https://github.com/advisories/GHSA-5vv7-j593-mgjc

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:21:43.662991+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/neos/flow/GHSA-5vv7-j593-mgjc.yml	38.6.0