CVE-2020-5237: 
PHP vulnerability analysis and mitigation

CVE-2020-5237 affects the OneupUploaderBundle library before versions 1.9.3 and 2.1.5. The vulnerability was discovered on January 27, 2020, and publicly disclosed on February 4, 2020. This security issue involves multiple relative path traversal vulnerabilities that allow remote attackers to upload, copy, and manipulate files in arbitrary locations (SYSS Advisory).

The vulnerability exists in the web service for chunked file uploads. While the POST parameter names vary depending on the frontend used (FineUploader, jQuery File Uploader, Dropzone, etc.), their values are used to build paths for storing and assembling temporary chunks. The lack of proper parameter validation makes OneupUploaderBundle susceptible to path traversal attacks. The vulnerability affects the default configuration which saves chunks in the directory structure: var/cache/{servername}/uploader/chunks/{qquuid}/{qqpartindex}_{qqfilename} (SYSS Advisory).

The vulnerability can be exploited by users with legitimate access to the upload functionality. Successful exploitation can lead to arbitrary code execution, denial of service, and disclosure of confidential information. Attackers can upload files to arbitrary folders on the filesystem, and the assembly process can be misused to delete and copy files to other locations (GitHub Advisory).

The vulnerability has been fixed in versions 1.9.3 and 2.1.5 of OneupUploaderBundle. Users should update to these patched versions to protect against path traversal attacks (GitHub Advisory).