PT-2022-21139 · Unknown · Gin-Vue-Admin
Published
2022-10-17
·
Updated
2022-10-26
·
CVE-2022-32176
CVSS v3.1
9.0
Critical
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Gin-Vue-Admin versions v2.5.1 through v2.5.3b
Description
The issue allows for Unrestricted File Upload, leading to the execution of javascript code through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker can gain access to the admin's cookie, resulting in account takeover.
Recommendations
For versions v2.5.1 through v2.5.3b, consider disabling the "Compress Upload" functionality to the Media Library as a temporary workaround until a patch is available. Restrict access to the Media Library to minimize the risk of exploitation. Avoid allowing low privilege users to upload files to the Media Library until the issue is resolved.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gin-Vue-Admin