Critical File Upload Vulnerability Patched in Verge3D Publishing and E-Commerce Software

CVSScvssV3_1: 9.9

The ID CVE-2023-51421 refers to an Unrestricted Upload of File with Dangerous Type vulnerability found in Soft8Soft LLC’s Verge3D Publishing and E-Commerce software. This vulnerability received a high CVSS score of 9.9 due to the severity of risks posed.

Verge3D allows users to upload 3D models and other files to an online publishing platform. The vulnerability arose because Verge3D failed to properly validate the file type of uploaded files. This allowed any file to be uploaded, including executable files like .exe or .dll files.

An attacker could craft a malicious file with a hidden executable payload and name it to appear as an innocent file type like .jpg or .pdf. If uploaded and downloaded and run on a user’s computer, this file could then install malware or steal sensitive data.

Soft8Soft has now patched this issue in Verge3D versions 4.5.3 and above. Administrators should immediately update their installations. Users should be wary of downloading or opening any unexpected files from third parties while older versions may still be vulnerable. Proper input validation is important for any software allowing external file uploads to avoid security risks.