This opens the user to a file upload vulnerability

[lcashdol]

This package has been included in various other packages and this code included in the projects web accessible path.
It's actively being exploited in the wild. CVE-2018-9206

[blueimp]

Thanks for your report @lcashdol

Reading the CVE report I can not yet confirm a vulnerability in this project.
If however you have a proof of concept how the default implementations provided by this project can be used for a remote code execution, please contact me via https://blueimp.net

For information about potential security vulnerabilities when misconfiguring file upload handling in relation to this project, please have a look art the following wiki page:
https://github.com/blueimp/jQuery-File-Upload/wiki/Security

A common misconception is that allowing the upload of arbitrary files by itself results in a security vulnerability.
Only in combination with a misconfiguration in how these files are handled can this result in a vulnerability.

[blueimp]

Thanks to @lcashdol's report, the issue could be identified as a combination of the default configuration of Apache v2.3.9+ to disable .htaccess support and the jQuery File Upload PHP implementation relying on its .htaccess file for security.

As security fix, instead of disabling the example implementation completely, only image file types are now allowed by default.

Thanks again @lcashdol!

[lcashdol]

You're very welcome. :-)

[GildedHonour]

Only Apache is vulnerable?

[blueimp]

@GildedHonour please have a look here to identify if your setup is vulnerable:
https://github.com/blueimp/jQuery-File-Upload/blob/master/VULNERABILITIES.md#remote-code-execution-vulnerability-in-the-php-component