Lucene search

[email protected]NVD:CVE-2023-26961

HistoryAug 08, 2023 - 8:15 p.m.

CVE-2023-26961

2023-08-0820:15:10

CWE-79

[email protected]

web.nvd.nist.gov

alteryx

server

vulnerability

file uploads

json

request

cve-2023-26961

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

24.0%

JSON

Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files (e.g., JavaScript content for stored XSS) via the type field in a JSON document within a PUT /gallery/api/media request.

Affected configurations

Nvd

Node

alteryxalteryx_serverMatch2022.1.1.42590

VendorProductVersionCPE
alteryxalteryx_server2022.1.1.42590cpe:2.3:a:alteryx:alteryx_server:2022.1.1.42590:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
alteryx	alteryx_server	2022.1.1.42590	cpe:2.3:a:alteryx:alteryx_server:2022.1.1.42590:::::::*

References

alteryx.com

gist.github.com/DylanGrl/4269ae834c5d0ec77c9b928ad35d3be3