CVE-2022-23626

Опубликовано: 08 фев. 2022

Источник: nvd

CVSS3: 8.5

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions imagecreatefrom* and image* have not been checked properly. Although PHP issued warnings and the upload function returned false, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Ссылки

http://packetstormsecurity.com/files/167235/m1k1os-Blog-1.3-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://github.com/m1k1o/blog/commit/6f5e59f1401c4a3cf2e518aa85b231ea14e8a2ef
Patch
Third Party Advisory
https://github.com/m1k1o/blog/security/advisories/GHSA-wmqj-5v54-24x4
Third Party Advisory
http://packetstormsecurity.com/files/167235/m1k1os-Blog-1.3-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://github.com/m1k1o/blog/commit/6f5e59f1401c4a3cf2e518aa85b231ea14e8a2ef
Patch
Third Party Advisory
https://github.com/m1k1o/blog/security/advisories/GHSA-wmqj-5v54-24x4
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:blog_project:blog:*:*:*:*:*:*:*:*

Версия до 1.4 (исключая)

EPSS

Процентиль: 88%

0.03782

Низкий

8.5 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-20

CWE-252

EPSS

Процентиль: 88%

0.03782

Низкий

8.5 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-20

CWE-252