Gin-vue-admin vulnerable to Unrestricted Upload of File with Dangerous Type
CVE-2022-39305

9.8CRITICAL

Key Information:

Vendor: Flipped-aurora
Status: Gin-vue-admin
Vendor: CVE Published:; 24 October 2022

🔔 Create Flipped-aurora Vulnerability Alert

What is CVE-2022-39305?

Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Versions prior to 2.5.4 contain a file upload ability. The affected code fails to validate fileMd5 and fileName parameters, resulting in an arbitrary file being read. This issue is patched in 2.5.4b. There are no known workarounds.

Affected Version(s)

gin-vue-admin 2.5.4b

References

https://github.com/flipped-aurora/gin-vue-admin/security/...

https://github.com/flipped-aurora/gin-vue-admin/blob/main...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 24, 2022
Vulnerability Reserved
Sep 2, 2022