PT-2022-21140 · Unknown · Gin-Vue-Admin
Published
2022-10-14
·
Updated
2025-05-14
·
CVE-2022-32177
CVSS v3.1
9.0
Critical
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Gin-Vue-Admin versions v2.5.1 through v2.5.3beta
Description
The issue allows for Unrestricted File Upload, leading to the execution of javascript code through the 'Normal Upload' functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker can gain access to the admin's cookie, resulting in account takeover.
Recommendations
For versions v2.5.1 through v2.5.3beta, consider disabling the 'Normal Upload' functionality to the Media Library until a patch is available to prevent Unrestricted File Upload and potential account takeover. Restrict access to the Media Library to minimize the risk of exploitation. Avoid using the 'Normal Upload' feature in the affected versions to prevent the execution of malicious javascript code.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gin-Vue-Admin