🔍 Is this risky? Most devs are great at knowing what parts of their apps are easier or harder to implement but don’t have a great sense of which are more or less of a security risk.
✏️ Embedded document editing is surprisingly risky. A good example is the UEditor JS, which was shipped with multiple Java and .NET CMS projects, had over 6k stars on GitHub, and had a vulnerability that allowed for unrestricted file uploads to the server.
🛡️Web Application Firewalls are great at helping with issues like this via “virtual patching.”
- There’s no actual underlying code fix for this
- There’s a clear exploit pattern
- You add a firewall rule like “Block Path: /Ueditor”
- You’re “virtually patched”
Top comments (0)