GHSA-38vf-35cg-m73w

Source

https://github.com/advisories/GHSA-38vf-35cg-m73w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-38vf-35cg-m73w/GHSA-38vf-35cg-m73w.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-38vf-35cg-m73w

Aliases

CVE-2023-41564

Published

2023-09-09T00:30:48Z

Modified

2023-11-05T05:22:55.353094Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cockpit CMS arbitrary file upload vulnerability

Details

An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2023-09-08T23:15:11Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "github_reviewed_at": "2023-09-11T18:04:48Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / cockpit-hq/cockpit

Package

Name: cockpit-hq/cockpit
Purl: pkg:composer/cockpit-hq/cockpit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.6.3

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3