I don't normally advertise new releases of this extension, much less minor ones, but
this concerns a security issue, so here goes...
I just released the SimpleBatchUpload extension version 1.3.2 which fixes an
unauthenticated arbitrary file upload vulnerability present in the Blueimp
jQuery-File-Upload module used by this extension ([1], [2]). This vulnerability allows
remote execution of code on the server.
This vulnerability affects all versions of SimpleBatchUpload < 1.3.2 on MediaWiki <
1.27.4/1.28.3/1.29.2/1.30.0. Higher versions of MediaWiki block the /vendor directory for
direct webaccess, so while the unauthorized upload of files is still possible, at least
they cannot be used as remote entry points, so execution of code should not be possible.
If you are using one of the affected versions, please upgrade SimpleBatchUpload as soon as
possible.
Stephan
[1]
https://nvd.nist.gov/vuln/detail/CVE-2018-9206
[2]
http://www.vapidlabs.com/advisory.php?v=204