CVE-2022-36285 - OpenCVE

Authenticated Arbitrary File Upload vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Uploading Svg\, Webp And Ico Files Project	Uploading Svg\, Webp And Ico Files

Configuration 1 [-]

cpe:2.3:a:uploading_svg\,_webp_and_ico_files_project:uploading_svg\,_webp_and_ico_files:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://patchstack.com/database/vulnerability/uploading-svgwebp-and-ico-files/wordpress-uploading-svg-webp-and-ico-files-plugin-1-0-0-authenticated-arbitrary-file-upload-vulnerability
https://wordpress.org/plugins/uploading-svgwebp-and-ico-files/#developers

History

No history.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2022-08-23T15:48:09.265159Z

Updated: 2024-09-16T18:54:35.203Z

Reserved: 2022-07-22T00:00:00

Link: CVE-2022-36285

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-23T16:15:11.143

Modified: 2022-08-26T04:56:59.277

Link: CVE-2022-36285

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Uploading SVG, WEBP and ICO files (WordPress plugin)", "vendor": "dmitrylitvinov", "versions": [{"lessThanOrEqual": "1.0.1", "status": "affected", "version": "<= 1.0.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Vulnerability discovered by Kim Jong Min aka Universe (Patchstack Alliance)"}], "datePublic": "2022-08-11T00:00:00", "descriptions": [{"lang": "en", "value": "Authenticated Arbitrary File Upload vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-23T15:48:09", "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wordpress.org/plugins/uploading-svgwebp-and-ico-files/#developers"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://patchstack.com/database/vulnerability/uploading-svgwebp-and-ico-files/wordpress-uploading-svg-webp-and-ico-files-plugin-1-0-0-authenticated-arbitrary-file-upload-vulnerability"}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Arbitrary File Upload vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "audit@patchstack.com", "DATE_PUBLIC": "2022-08-11T23:36:00.000Z", "ID": "CVE-2022-36285", "STATE": "PUBLIC", "TITLE": "WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Arbitrary File Upload vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Uploading SVG, WEBP and ICO files (WordPress plugin)", "version": {"version_data": [{"version_affected": "<=", "version_name": "<= 1.0.1", "version_value": "1.0.1"}]}}]}, "vendor_name": "dmitrylitvinov"}]}}, "credit": [{"lang": "eng", "value": "Vulnerability discovered by Kim Jong Min aka Universe (Patchstack Alliance)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Authenticated Arbitrary File Upload vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}]}, "references": {"reference_data": [{"name": "https://wordpress.org/plugins/uploading-svgwebp-and-ico-files/#developers", "refsource": "CONFIRM", "url": "https://wordpress.org/plugins/uploading-svgwebp-and-ico-files/#developers"}, {"name": "https://patchstack.com/database/vulnerability/uploading-svgwebp-and-ico-files/wordpress-uploading-svg-webp-and-ico-files-plugin-1-0-0-authenticated-arbitrary-file-upload-vulnerability", "refsource": "CONFIRM", "url": "https://patchstack.com/database/vulnerability/uploading-svgwebp-and-ico-files/wordpress-uploading-svg-webp-and-ico-files-plugin-1-0-0-authenticated-arbitrary-file-upload-vulnerability"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:00:04.447Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wordpress.org/plugins/uploading-svgwebp-and-ico-files/#developers"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://patchstack.com/database/vulnerability/uploading-svgwebp-and-ico-files/wordpress-uploading-svg-webp-and-ico-files-plugin-1-0-0-authenticated-arbitrary-file-upload-vulnerability"}]}]}, "cveMetadata": {"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "cveId": "CVE-2022-36285", "datePublished": "2022-08-23T15:48:09.265159Z", "dateReserved": "2022-07-22T00:00:00", "dateUpdated": "2024-09-16T18:54:35.203Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uploading_svg\\,_webp_and_ico_files_project:uploading_svg\\,_webp_and_ico_files:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DABB28AB-5FE4-4A92-A708-534C4628152D", "versionEndIncluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authenticated Arbitrary File Upload vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress."}, {"lang": "es", "value": "Una vulnerabilidad de Subida de Archivos Arbitrarios Autenticada en el plugin dmitrylitvinov Uploading SVG, WEBP and ICO files versiones anteriores a 1.0.1 incluy\u00e9ndola, en WordPress."}], "id": "CVE-2022-36285", "lastModified": "2022-08-26T04:56:59.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2022-08-23T16:15:11.143", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/uploading-svgwebp-and-ico-files/wordpress-uploading-svg-webp-and-ico-files-plugin-1-0-0-authenticated-arbitrary-file-upload-vulnerability"}, {"source": "audit@patchstack.com", "tags": ["Product", "Release Notes"], "url": "https://wordpress.org/plugins/uploading-svgwebp-and-ico-files/#developers"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Primary"}]}