CVE-2023-1105 : External Control of File Name or Path in GitHub repository flatpressblog/flatpre

External Control of File Name or Path in GitHub repository flatpressblog/flatpress prior to 1.3.

Published 2023-03-01 02:15:52

Updated 2023-03-09 14:47:47

Source huntr.dev

View at NVD, CVE.org

Vulnerability category: File inclusion

Products affected by CVE-2023-1105

Flatpress » Flatpress
Versions before (<) 2022-12-25
cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 10 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	huntr.dev
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

Assigned by: security@huntr.dev (Primary)

https://github.com/flatpressblog/flatpress/commit/5d5c7f6d8f072d14926fc2c3a97cdd763802f170

fixes #179, preventing path traversal · flatpressblog/flatpress@5d5c7f6 · GitHub
Patch

CVEs referencing this url
https://huntr.dev/bounties/4089a63f-cffd-42f3-b8d8-e80b6bd9c80f

File Deletion Detected vulnerability found in flatpress
Exploit;Issue Tracking;Patch;Third Party Advisory

Jump to