CVE-2022-27952 – payload

Package

Manager: npm
Name: payload
Vulnerable Version: >=0 <0.15.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00952 pctl0.75497

Details

Unrestricted Upload of File with Dangerous Type in Payload An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.

Metadata

Created: 2022-04-13T00:00:22Z
Modified: 2022-04-22T20:28:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-w8xh-93qh-35vw/GHSA-w8xh-93qh-35vw.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-w8xh-93qh-35vw
Finding: F027
Auto approve: 1