Many web applications enable file upload (images, avatars, documents, ...). If it hasn't a proper filtering mechanism, the application is likely to accept other files than pictures and documents. For example, an attacker could exploit it to download a PHP script, disguised with a gif extension.

Talk:CWE-SANS-Top-25/Insecure-interaction-between-components/CWE-434