CVE-2022-24278

Опубликовано: 10 июн. 2022

Источник: nvd

CVSS3: 7.5

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The package convert-svg-core before 0.6.4 are vulnerable to Directory Traversal due to improper sanitization of SVG tags. Exploiting this vulnerability is possible by using a specially crafted SVG file.

Ссылки

https://github.com/neocotic/convert-svg/commit/2bbc498c5029238637206661dbac9e44d37d17c5
Patch
Third Party Advisory
https://github.com/neocotic/convert-svg/issues/86
Exploit
Issue Tracking
Third Party Advisory
https://github.com/neocotic/convert-svg/pull/87
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-2859830
Third Party Advisory
https://github.com/neocotic/convert-svg/commit/2bbc498c5029238637206661dbac9e44d37d17c5
Patch
Third Party Advisory
https://github.com/neocotic/convert-svg/issues/86
Exploit
Issue Tracking
Third Party Advisory
https://github.com/neocotic/convert-svg/pull/87
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-2859830
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:convert-svg_project:convert-svg:*:*:*:*:*:node.js:*:*

Версия до 0.6.4 (исключая)

EPSS

Процентиль: 72%

0.00729

Низкий

7.5 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-5f47-rcg5-9m24

CVSS3: 7.5

github

больше 3 лет назад

Directory traversal in convert-svg-core

EPSS

Процентиль: 72%

0.00729

Низкий

7.5 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-22