CVE-2022-45338 : An arbitrary file upload vulnerability in the profile picture upload function of

An arbitrary file upload vulnerability in the profile picture upload function of Exact Synergy Enterprise 267 before 267SP13 and Exact Synergy Enterprise 500 before 500SP6 allows attackers to execute arbitrary code via a crafted SVG file.

Published 2022-12-15 23:15:10

Updated 2025-04-21 15:15:55

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2022-45338

Exactsoftware » Exact Synergy » Version: 500 Update SP1 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:500:sp1:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 500 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:500:-:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 500 Update SP2 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:500:sp2:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 500 Update SP3 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:500:sp3:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 500 Update SP4 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:500:sp4:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 500 Update SP5 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:500:sp5:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP1 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp1:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP2 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp2:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP3 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp3:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP4 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp4:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP5 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp5:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP6 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp6:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP7 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp7:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP8 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp8:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update SP9 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp9:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update Sp10 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp10:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update Sp11 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp11:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Update Sp12 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:sp12:*:*:enterprise:*:*:*
Matching versions
Exactsoftware » Exact Synergy » Version: 267 Enterprise Edition
cpe:2.3:a:exactsoftware:exact_synergy:267:-:*:*:enterprise:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-45338

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-45338

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-04-21
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-45338

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-45338

https://gist.github.com/MaxRozendaal/633b34a4675b60caed736e5ffe28f272

CVE-2022-45338 - Stored XSS in Exact Synergy Enterprise · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-45338

Products affected by CVE-2022-45338

Exploit prediction scoring system (EPSS) score for CVE-2022-45338

CVSS scores for CVE-2022-45338

CWE ids for CVE-2022-45338

References for CVE-2022-45338