GHSA-v6f4-jwv9-682w

Опубликовано: 04 янв. 2024

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

class.upload.php allows cross-site scripting attacks via uploaded files

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used.

Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension.

The README has been updated to include these guidelines.

Ссылки

Пакеты

Наименование

verot/class.upload.php

composer

Затронутые версииВерсия исправления

<= 2.1.6

Отсутствует

EPSS

Процентиль: 29%

0.00104

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-6551

Дефекты

CWE-20

CWE-434

Связанные уязвимости

CVE-2023-6551

CVSS3: 5.4

nvd

около 2 лет назад

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension. The README has been updated to include these guidelines.

EPSS

Процентиль: 29%

0.00104

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-6551

Дефекты

CWE-20

CWE-434