Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yaHc2LTRydjktODJmcM4AAyjG

Uvdesk remote code execution vulnerability

Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers.

Permalink: https://github.com/advisories/GHSA-2hw6-4rv9-82fp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yaHc2LTRydjktODJmcM4AAyjG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00158
EPSS Percentile: 0.52992

Identifiers: GHSA-2hw6-4rv9-82fp, CVE-2023-0265
References: Repository: https://github.com/uvdesk/community-skeleton
Blast Radius: 1.0

Affected Packages

packagist:uvdesk/community-skeleton
Dependent packages: 0
Dependent repositories: 0
Downloads: 55,030 total
Affected Version Ranges: <= 1.1.1
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.16, 1.0.17, 1.0.18, 1.1.0, 1.1.1