CVE-2022-43277 Canteen Management System v1.0 had an arbitrary file upload vulnerability.

CVE-2022-43277 Canteen Management System v1.0 had an arbitrary file upload vulnerability.

Attackers can upload a PHP script to execute code on the server. The file upload feature is enabled by default in Canteen. Note that this issue was discovered in Canteen v1.0.

8. Vimeo Video Library v2.3.1 permits uploading of remote code via upload/index.php file. This vulnerability allows attackers to execute code on the server.

9. Spryker Employee App v7.8.0 has a critical arbitrary file upload vulnerability via upload/index.php. Attackers can upload a malicious PHP script to the server and run it.

V2.3.1 - February 14, 2019

CVE-2022-43277: CVE-2022-43277 is a cross-site scripting vulnerability in Canteen v1.0 that allows attackers to upload and execute remote code on the server. This vulnerability allows attackers to upload a PHP script to execute code on the server. This can be used for RCE.

8. Vimeo Video Library v2.3.1 permits uploading of remote code via upload/index.php file. This vulnerability allows attackers to execute code on the server.

9. Spryker Employee App v7.8.0 has a critical arbitrary file upload vulnerability via upload/index.php, which can be exploited by uploading a malicious PHP script to the server and running it through app/classes/UploadController_Controller_FileUploaderService_IndexAction class method, resulting in arbitrary file read access and run arbitrary commands on the server through shell command execution flaw within app/controllers/MainController_AdminViewRenderer_UploadController::openFile() method of spryker_employee_app_web/controllers/_UploadController class implementation as shown below in vulnerable code snippet:

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe