CVE-2023-52086 - My security gift for the end of the year 2023.
I discovered this vulnerability in my brain while thinking about what was wrong in my unit tests. I realized that the code managed to write in the parent folder of my tests folder. So I made a very simple proof of concept and contacted the author by email. After a reply and the fixes I did open a CVE request on the MITRE online form. Some more details can be found on Vuldb where I updated the entry.
The impact
Depending on the version of the PHP back-end used for resumable.js the attacker can write a file on the server if it does not exist. And if the back-end version of resumable.php is not up to date the attacker can also overwrite any file.