The application allows file uploads without proper validation of file type, content, or size, enabling attackers to upload malicious files such as web shells or malware.
An attacker could upload web shells for remote code execution, store malware for distribution, overwrite critical files, or exhaust storage resources through unrestricted uploads.
Validate file types using content inspection, not just extensions. Store uploads outside the web root. Generate random filenames. Implement file size limits. Scan uploads with antivirus. Serve uploaded files with a non-executable content type.