This occurs due to the lack of request validation on the part of the application. A low privileged attacker can take advantage of this to upload and execute malicious code. Thus, the Media Library can be exploited to cause a security breach.
Solution: Upgrade to version 2.5.4 or higher.
CVE-2018-5178: Cookie Splitting Unrestricted File Upload Vulnerability - CVE-2018-5178 The "Compress Upload" functionality in the "Media Library" in versions v2.5.1 through v2.5.3b of the "Gin-Vue-Admin" server software allows unrestricted file uploads that can be used to execute code through the "Media Library".
CVE-2018-5179: Cookie Splitting Unrestricted File Upload Vulnerability - CVE-2018-5179 The "Compress Upload" functionality in the "Media Library" in versions v2.5.1 through v2.5.3b of the "Gin-Vue-Admin" server software allows unrestricted file uploads that can be used to execute code through the "Media Library".
CVE-2018-5180: Cookie Splitting Unrestricted File Upload Vulnerability - CVE-2018-5180 The "Compress Upload" functionality in the "Media Library" in versions v2.5.1 through v2.5.3b of the "Gin-Vue-Admin" server software allows unrestricted
The "Media Library" - Introduction
The "Media Library" is a component of the "Gin-Vue-Admin" server software that can be found in the admin panel. It has a "Compress Upload" feature that allows users to upload files and compress them into one binary file. This function can provide the attacker with an opportunity to execute malicious code, which leads to a security breach.
1. The "Media Library" is vulnerable as it allows unrestricted file uploads without validation
2. The vulnerability exists on all versions of the "Gin-Vue-Admin" server software, but was not publicly acknowledged until 2018
Timeline
Published on: 10/17/2022 19:15:00 UTC