Lucene search

[email protected]CVE-2023-6142

HistoryNov 21, 2023 - 12:15 a.m.

CVE-2023-6142

2023-11-2100:15:07

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-6142

dev blog v1.0

xss

unrestricted file upload

filename entropy

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

5.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.1%

JSON

Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim.

Affected configurations

NVD

Node

armanidrisidev_blogMatch1.0

CPENameOperatorVersion
armanidrisi:dev_blogarmanidrisi dev blogeq1.0

CPE	Name	Operator	Version
armanidrisi:dev_blog	armanidrisi dev blog	eq	1.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Dev Blog",
    "vendor": "Dev Blog",
    "versions": [
      {
        "status": "affected",
        "version": "1.0"
      }
    ]
  }
]

References

fluidattacks.com/advisories/bunny/

github.com/Armanidrisi/devblog/

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

5.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.1%

JSON

Related for CVE-2023-6142

cnvd1 nvd1 prion1 cvelist1