file upload

Disabling Customer File Upload in a Security Module

This GitHub repository offers a security module for Magento 2 that disables the unauthenticated customer address file upload endpoint, addressing vulnerabilities that could lead to remote code execution, especially related to a critical vulnerability known as "SessionReaper." It emphasizes the risks associated with arbitrary file uploads, even on patched systems.

https://github.com/AquiveMedia/magento2-disable-customer-upload-controller

#security #file upload #customer data #SessionReaper

11 Nov 2025
Shutting Down File Upload Controllers for SessionReaper is futile

Since Searchlight Cyber published a technical write up and proof-of-concept for the SessionReaper vulnerability, attackers have been mass scanning Magento / Adobe Commerce stores for vulnerable targets. The first phase of the attack involves uploading a payload containing malicious session data to the server.

https://maxchadwick.xyz/blog/shutting-down-file-upload-controllers-for-session-reaper-is-futile

#security #vulnerability #file upload #SessionReaper

11 Nov 2025

Got a link to share?