CVE-2023-0265 – uvdesk/community-skeleton

Package

Manager: composer
Name: uvdesk/community-skeleton
Vulnerable Version: >=0 <=1.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00381 pctl0.58749

Details

Uvdesk remote code execution vulnerability Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers.

Metadata

Created: 2023-04-05T00:30:39Z
Modified: 2025-02-13T18:50:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-2hw6-4rv9-82fp/GHSA-2hw6-4rv9-82fp.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-2hw6-4rv9-82fp
Finding: F027
Auto approve: 1