SnykCVELIST:CVE-2021-23562CVE-2021-23562 Arbitrary File Upload
4.2 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
8.9 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
70.7%
This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.
CNA Affected
[
{
"product": "plupload",
"vendor": "n/a",
"versions": [
{
"lessThan": "2.3.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]References
github.com/moxiecode/plupload/blob/master/js/jquery.plupload.queue/jquery.plupload.queue.js%23L226
github.com/moxiecode/plupload/commit/d12175d4b5fa799b994ee1bb17bfbeec55b386fb
snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2306665
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2306663
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMOXIECODE-2306664
snyk.io/vuln/SNYK-JS-PLUPLOAD-1583909
Related
4.2 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
8.9 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
70.7%