Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-X8XX-X82Q-42Q3
HistoryFeb 19, 2022 - 12:01 a.m.

Exposure of Resource to Wrong Sphere in ezsystems/ezplatform-kernel

2022-02-1900:01:25
Google
osv.dev
8
image upload security
injection attacks
access control

EPSS

0.001

Percentile

31.3%

JSON

When image files are uploaded, they are made accessible under a name similar to the original file name. There are two issues with this. Both require access to uploading images in order to exploit them, this limits the impact. The first issue is that certain injection attacks can be possible, since not all possible attack vectors are removed from the original file name.

The second issue is that direct access to the images is not access controlled. This is by design, for performance reasons, and documented as such. But it does mean that images not meant to be publicly accessible can be accessed, provided that the image path and filename is correctly deduced and/or guessed, through dictionary attacks and similar.

Related

prion 1
cvelist 1
cve 1
github 1
nvd 1
prion
prion
Design/Logic Flaw
2022-02-18 18:15:00
cvelist
cvelist
CVE-2022-25336
2022-02-18 17:49:08
cve
cve
CVE-2022-25336
2022-02-18 18:15:13
github
github
Exposure of Resource to Wrong Sphere in ezsystems/ezplatform-kernel
2022-02-19 00:01:25
nvd
nvd
CVE-2022-25336
2022-02-18 18:15:13

EPSS

0.001

Percentile

31.3%

JSON
Related for OSV:GHSA-X8XX-X82Q-42Q3
prion1cvelist1cve1github1nvd1