The SecCommerce SecSigner Java applet version 3.5.0 suffers from a client-side remote arbitrary file upload vulnerability.