GHSA-ff4w-8chr-w2x9

Suggest an improvement
Source
https://github.com/advisories/GHSA-ff4w-8chr-w2x9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ff4w-8chr-w2x9/GHSA-ff4w-8chr-w2x9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-ff4w-8chr-w2x9
Aliases
Published
2022-05-24T16:44:03Z
Modified
2023-11-01T04:50:15.857775Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
SiteServer CMS RCE via unsafe file upload
Details

A issue was discovered in SiteServer CMS prior to version 6.12. It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the "as" substring is deleted.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2019-04-22T11:29:00Z",
    "github_reviewed_at": "2023-07-14T20:14:41Z"
}
References

Affected packages

NuGet / sscms

Package

Name
sscms
View open source insights on deps.dev
Purl
pkg:nuget/sscms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12

Affected versions

1.*
1.0.0-preview4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ff4w-8chr-w2x9/GHSA-ff4w-8chr-w2x9.json"