• I would like to report a security issue. If a guest user is allowed to upload files using the Liferay Form, they can upload files with malicious data that can harm the site.

Reproduction Steps:

1. Start 2024.q3.13
2. Go to Content and Data --> Forms and add a form with the following configuration:
a. Add an upload field
b. Enable "Allow Guest Users to Send Files" from the right panel.
c. Save and publish the form
3. Edit the Home page, add a Form widget, configure it to display the created Form, and publish the page.
4. Log out of the page and as a Guest try to upload a Groovy script file file: test-groovy.groovy
Checkpoint: It will not be uploaded. This is expected.
5. Change the file extension from groovy to jpg and try to upload it.
Actual Result: The file is uploaded, even though the content of the file is not an image.
Expected Result: The file should not be uploaded.

• Liferay Quarterly Release 2024.q3.13

• The case is fixed by LPD-49016. Please request a hotfix. The fix works by applying the allowed Mime Type at the Control Panel --> Configuration --> Instance Settings --> Documents and Media