9.8
CVE-2022-29622
- EPSS 3.2%
- Veröffentlicht 16.05.2022 14:15:08
- Zuletzt bearbeitet 21.11.2024 06:59:27
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAn arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Formidable Project ≫ Formidable Version3.1.4 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.2% | 0.865 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
https://github.com/node-formidable/formidable/issues/856
https://github.com/node-formidable/formidable/issues/862
https://github.com/strapi/strapi/issues/20189
https://medium.com/%40zsolt.imre/is-cybersecurity-the-next-supply-chain-vulnerability-9a00de745022
https://www.youtube.com/watch?v=C6QPKooxhAo