Vulnerability Details : CVE-2022-32176
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin's cookie leading to account takeover.
Products affected by CVE-2022-32176
- Gin-vue-admin Project » Gin-vue-adminVersions from including (>=) 2.5.1 and up to, including, (<=) 2.5.3bcpe:2.3:a:gin-vue-admin_project:gin-vue-admin:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-32176
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-32176
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
NIST | |
9.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
Mend |
CWE ids for CVE-2022-32176
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: vulnerabilitylab@mend.io (Primary)
References for CVE-2022-32176
-
https://www.mend.io/vulnerability-database/CVE-2022-32176
CVE-2022-32176 | Mend Vulnerability DatabaseExploit;Third Party Advisory
-
https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/image.vue#L43-L49
gin-vue-admin/image.vue at v2.5.3beta · flipped-aurora/gin-vue-admin · GitHubExploit;Third Party Advisory
Jump to