Vulnerability Details : CVE-2022-29622
An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability.
Vulnerability category: Execute code
Products affected by CVE-2022-29622
- cpe:2.3:a:formidable_project:formidable:3.1.4:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29622
1.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29622
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-29622
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-29622
-
https://medium.com/%40zsolt.imre/is-cybersecurity-the-next-supply-chain-vulnerability-9a00de745022
410 Deleted by author — Medium
-
https://github.com/node-formidable/formidable/issues/856
Vulnerability CVE-2022-29622 is reported by Whitesource · Issue #856 · node-formidable/formidable · GitHubIssue Tracking;Third Party Advisory
-
https://github.com/node-formidable/formidable/issues/862
Filename filtering is inappropriate · Issue #862 · node-formidable/formidable · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://www.youtube.com/watch?v=C6QPKooxhAo
Before you continue to YouTubeExploit;Third Party Advisory
-
https://github.com/strapi/strapi/issues/20189
NOTICE: Formidable Vulnerability is NOT valid · Issue #20189 · strapi/strapi · GitHub
-
https://medium.com/@zsolt.imre/is-cybersecurity-the-next-supply-chain-vulnerability-9a00de745022
Please Wait... | CloudflareExploit;Third Party Advisory
Jump to