CVE-2021-28294 — Unrestricted File Upload in Ordering System Project Online Ordering System

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

2.6%

top 14.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Online Ordering System Project Online Ordering System

Timeline

PublishedMar 16

Latest updateMay 24

Description

Online Ordering System 1.0 is vulnerable to arbitrary file upload through /onlineordering/GPST/store/initiateorder.php, which may lead to remote code execution (RCE).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDonline_ordering_system_project/online_ordering_system1.0

🔴Vulnerability Details

GHSA

GHSA-98m6-692f-9693: Online Ordering System 1↗2022-05-24

▶

CVEList

CVE-2021-28294: Online Ordering System 1↗2021-03-16

▶