During a vulnerability assessment, a security team discovers that a web application allows users to upload files without proper validation. An attacker could upload a malicious file and execute it on the server. Which type of vulnerability is this?
Improper file validation can lead to arbitrary code execution on the server.
Why this answer
The vulnerability allows an attacker to upload a malicious file (e.g., a web shell) and then execute it on the server, which is the definition of remote code execution (RCE). This occurs because the application fails to validate file types, contents, or execution permissions, enabling arbitrary code to run in the server's context.
Exam trap
Cisco often tests the distinction between client-side attacks (XSS) and server-side attacks (RCE), so candidates may confuse file upload RCE with XSS because both involve malicious file or script injection, but the execution context (server vs. client) is the key differentiator.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users, not executing code on the server. Option B is wrong because SQL injection targets database queries by manipulating input to alter SQL statements, not file uploads or server-side code execution. Option D is wrong because insecure direct object reference (IDOR) allows unauthorized access to resources by manipulating object references (e.g., user IDs in URLs), not file uploads or code execution.