GitHub Advisory DatabaseGHSA-5JGJ-H9WP-53FRKnown vulnerable to code execution via SVG file in v1.3.1
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
34.2%
An issue in the isSVG() function of Known v1.3.1 allows attackers to execute arbitrary code via a crafted SVG file.
The researcher report indicates that versions 1.3.1 and prior are vulnerable. Version 1.2.2 is the last version tagged on GitHub and in Packagist, and development related to the 1.3.x branch is currently on the dev branch of the idno/known repository.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| idno/known | le | 1.3.1 |
References
blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-software/
github.com/advisories/GHSA-5jgj-h9wp-53fr
github.com/idno/known
github.com/idno/known/blob/dev/composer.json#L4
github.com/idno/known/commit/80b716a8392fb71cfce84d03aaf7c045c62f6350
nvd.nist.gov/vuln/detail/CVE-2022-32115
withknown.com/
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
34.2%