CVE-2022-41705 – badaso/core

Package

Manager: composer
Name: badaso/core
Vulnerable Version: >=0 <2.7.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02628 pctl0.85137

Details

Badaso vulnerable to Remote Code Execution (RCE) Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.

Metadata

Created: 2022-11-25T18:30:25Z
Modified: 2025-04-29T15:36:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-g389-rf5p-fg56/GHSA-g389-rf5p-fg56.json
CWE IDs: ["CWE-434", "CWE-94"]
Alternative ID: GHSA-g389-rf5p-fg56
Finding: F422
Auto approve: 1