"/WebUI/Editors/Base/Controls/UploadControl/FileUpload.aspx" is used to upload binary files, which than used in Multimedia Components. When an attacker uploads the file it would first save it into temporary location with
.tmp extension, see
https://docs.rws.com/986894/250404/tridion-sites-9-6-main-documentation/configuring-a-shared-network-temporary-location-for-uploads-to-the-core-service. This file would not go any further, e.g. it will not be uploaded to database, in order to upload to database an attacker has to save the Multimedia Component which is not available in this endpoint.
To protect the temporary folder from uploading the malicious files see
https://docs.rws.com/792475/106584/sdl-tridion-2013-sp1/content-manager-security-best-practices.
Additionally, we would recommend to configure a scheduled clean up of this folder, so all uploaded files (and those that was not saved to database) would be clean up periodically.