PT-2022-18338 · Unknown · Express-Fileupload

Published

2022-04-12

Updated

2023-10-18

CVE-2022-27261

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Express-FileUpload version 1.3.1

Description The issue allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server. This can be exploited due to an arbitrary file write vulnerability.

Recommendations For Express-FileUpload version 1.3.1, consider implementing validation to prevent uploading multiple files with the same name as a temporary workaround until a patch is available. Restrict access to file upload functionality to minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2022-27261

GHSA-W4M6-X6C2-J5C9

Affected Products

Express-Fileupload

PT-2022-18338 · Unknown · Express-Fileupload

CVE-2022-27261

Weakness Enumeration

Related Identifiers

Affected Products

References · 8