CVE-2023-40980 : File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before allows a r

File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before allows a remote attacker to execute arbitrary code via the saveimage method and savveFile in the action/UploadAction.java file.

Published 2023-09-01 16:15:09

Updated 2023-09-07 17:11:54

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2023-40980

Diaowen » Dwsurvey
Versions up to, including, (<=) 3.2.0
cpe:2.3:a:diaowen:dwsurvey:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-40980

EPSS FAQ

1.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-40980

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-40980

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-40980

https://github.com/wkeyuan/DWSurvey/issues/107

Arbitrary file uploads exist · Issue #107 · wkeyuan/DWSurvey · GitHub
Exploit;Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2023-40980

Products affected by CVE-2023-40980

Exploit prediction scoring system (EPSS) score for CVE-2023-40980

CVSS scores for CVE-2023-40980

CWE ids for CVE-2023-40980

References for CVE-2023-40980