CVE-2023-6551

Опубликовано: 04 янв. 2024

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used.

Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension.

The README has been updated to include these guidelines.

Ссылки

https://cert.pl/en/posts/2024/01/CVE-2023-6551
Third Party Advisory
https://cert.pl/posts/2024/01/CVE-2023-6551
Third Party Advisory
https://cert.pl/en/posts/2024/01/CVE-2023-6551
Third Party Advisory
https://cert.pl/posts/2024/01/CVE-2023-6551
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:verot:class.upload.php:-:*:*:*:*:*:*:*

EPSS

Процентиль: 24%

0.00079

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-v6f4-jwv9-682w

CVSS3: 6.5

github

около 2 лет назад

class.upload.php allows cross-site scripting attacks via uploaded files