CVE-2021-23562
Summary
| CVE | CVE-2021-23562 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-03 20:15:00 UTC |
| Updated | 2021-12-07 01:22:00 UTC |
| Description | This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file. |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Arbitrary File Upload in plupload | Snyk | CONFIRM | snyk.io | |
| Arbitrary File Upload in org.webjars.bowergithub.moxiecode:plupload | Snyk | CONFIRM | snyk.io | |
| N/A | CONFIRM | github.com | |
| fixed another case of html entities not being encoded properly · moxiecode/plupload@d12175d · GitHub | CONFIRM | github.com | |
| Arbitrary File Upload in org.webjars.bower:plupload | Snyk | CONFIRM | snyk.io | |
| Arbitrary File Upload in org.webjars:plupload | Snyk | CONFIRM | snyk.io | |
| plupload/jquery.plupload.queue.js at master · moxiecode/plupload · GitHub | MITRE | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Michele Di Stefano
There are currently no legacy QID mappings associated with this CVE.