CVE-2022-32115
published 2022-07-08CVE-2022-32115: An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file.
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.00%
58.6th percentile
An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| idno | known | 0 – 1.3.1 | — |
| withknown | known | <= 1.3.1 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Known vulnerable to code execution via SVG file in v1.3.1
osv·2022-07-09
CVE-2022-32115 [MEDIUM] Known vulnerable to code execution via SVG file in v1.3.1
Known vulnerable to code execution via SVG file in v1.3.1
An issue in the isSVG() function of Known v1.3.1 allows attackers to execute arbitrary code via a crafted SVG file.
The researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x branch is currently on the `dev` branch of the idno/known repository.
GHSA
Known vulnerable to code execution via SVG file in v1.3.1
ghsa·2022-07-09
CVE-2022-32115 [MEDIUM] CWE-79 Known vulnerable to code execution via SVG file in v1.3.1
Known vulnerable to code execution via SVG file in v1.3.1
An issue in the isSVG() function of Known v1.3.1 allows attackers to execute arbitrary code via a crafted SVG file.
The researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x branch is currently on the `dev` branch of the idno/known repository.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-07-08
Published