if an attacker discovers that the upload function doesn't check for file types(such as .php,.jsp,.aspx ) and the server allows these file types to be executed as a code. An attacker can upload a malicious (server-side code) file that operates as a web shell, making him take full control over the server.

if an attacker discovers that there's no validation, this could allow an attacker to overwrite critical files simply by uploading a file with the same name.

if an attacker discovers that the server doesn't check for file size it could lead to a form of denial-of-service (DoS) attack, whereby the attacker fills the available disk space.

• Check the file extension against a whitelist of permitted extensions and these extensions are necessary for business functionality.
• Make sure the filename doesn't contain any substrings that may be interpreted as a directory or a traversal sequence (../)
• Make sure the filename doesn't contain any special characters
• Rename uploaded files to avoid collisions that may cause existing files to be overwritten.
• Limit the file size to a minimum and maximum value in order to prevent denial of service attacks
• Do not upload files to the server's permanent filesystem until they have been fully validated.