Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yaHc2LTRydjktODJmcM4AAyjG
Uvdesk remote code execution vulnerability
Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers.
Permalink: https://github.com/advisories/GHSA-2hw6-4rv9-82fpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yaHc2LTRydjktODJmcM4AAyjG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00158
EPSS Percentile: 0.52992
Identifiers: GHSA-2hw6-4rv9-82fp, CVE-2023-0265
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-0265
- https://fluidattacks.com/advisories/supply/
- https://github.com/uvdesk/community-skeleton
- https://github.com/advisories/GHSA-2hw6-4rv9-82fp
Blast Radius: 1.0
Affected Packages
packagist:uvdesk/community-skeleton
Dependent packages: 0Dependent repositories: 0
Downloads: 55,030 total
Affected Version Ranges: <= 1.1.1
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.16, 1.0.17, 1.0.18, 1.1.0, 1.1.1