Lucene search

GitHub Advisory DatabaseGHSA-H454-RQ3M-89RC

HistoryOct 22, 2023 - 9:36 p.m.

Wagtail CRX CodeRed Extensions vulnerable to Path Traversal

2023-10-2221:36:10

CWE-22

GitHub Advisory Database

github.com

wagtail

crx

codered

extensions

path traversal

upward protected

media

vulnerable

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

32.4%

JSON

views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS or coderedcms) before 0.22.3 allows upward protected/…%2f…%2f path traversal when serving protected media.

Affected configurations

Vulners

Node

coderedcmsRange0–0.22.3

VendorProductVersionCPE
*coderedcms*cpe:2.3:a:*:coderedcms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	coderedcms	*	cpe:2.3:a::coderedcms::::::::*

References

github.com/advisories/GHSA-h454-rq3m-89rc

github.com/coderedcorp/coderedcms/commit/06006cec23a723bc7d76df75ce2c2d795a447902

github.com/coderedcorp/coderedcms/compare/v0.22.2...v0.22.3

github.com/coderedcorp/coderedcms/issues/448

github.com/coderedcorp/coderedcms/pull/450

github.com/pypa/advisory-database/tree/main/vulns/coderedcms/PYSEC-2023-210.yaml

nvd.nist.gov/vuln/detail/CVE-2021-46897

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

32.4%

JSON

Related for GHSA-H454-RQ3M-89RC