CVE-2022-39305Unrestricted File Upload in Project Gin-vue-admin

CWE-434Unrestricted File Upload2 documents2 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 37.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gin-vue-admin Project Gin-vue-adminFlipped-aurora Gin-vue-admin
Timeline
PublishedOct 24

Description

Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Versions prior to 2.5.4 contain a file upload ability. The affected code fails to validate fileMd5 and fileName parameters, resulting in an arbitrary file being read. This issue is patched in 2.5.4b. There are no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Gin-vue-admin vulnerable to Unrestricted Upload of File with Dangerous Type2022-10-24
CVE-2022-39305 — Unrestricted File Upload | cvebase