CVE-2018-9206 is caused by an unauthenticated arbitrary file upload flaw in the Blueimp jQuery-File-Upload plugin. Since the plugin does not have disallowed file types, by default, a remote unauthenticated threat actor could upload arbitrary files to the system. If exploited, this arbitrary file upload vulnerability lets an unrestricted invader upload and execute a malicious type of file on the target server. For example, these files could consist of malware, executables, or shell scripts. With these malicious payloads, the attacker could then remotely access the server and wholly assume control over the victim’s host. This way, they can carry out further attacks, such as exfiltration of sensitive data, or make lateral movements to other hosts within the network. Ultimately, exploiting this vulnerability lets invaders take full control of a susceptible host and bring it to its knees.
Blueimp jQuery-File-Upload plugin versions 9.22.0 and earlier
Configure your web server to avoid executing files in the upload directory. For example, you can modify your Apache configuration to achieve this.
Update to the latest version of the plugin.