File Lite contains a flaw that allows a persistent cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via HTTP cookie headers before returning it to the user. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Proof of Concept:
the arbitrary file upload vulnerability can be exploited by remote attackers without required application user account or user interaction.
For demonstration or reproduce ...
PoC: POST REQUEST METHOD - FILE UPLOAD
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
The client side script code injection web vulnerability can be exploited by remote attackers without application user account and
with low or medium required user interaction. For demonstration or reproduce ...