Java-based web applications that accept file uploads must ensure that an adversary attacker cannot upload or transfer malicious files. If a restricted file containing code is executed by the target system, it can result in misuse of privileges. For example, an application that permits HTML files to be uploaded could allow malicious code to be executed—an attacker can submit a valid HTML file with a cross-site-scripting payload that will execute in the absence of an output-escaping routine. For this reason, many applications restrict the type of files that can be uploaded.
...
An arbitrary file upload vulnerability could result in privilege escalation and execution of arbitrary code.
Bibliography
...
...