CVE Vulnerability

CVE-2022-29622

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled.

7.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.youtube.com/watch?v=C6QPKooxhAo Exploit Third Party Advisory
https://medium.com/@zsolt.imre/is-cybersecurity-the-next-supply-chain-vulnerability-9a00de745022 Exploit Third Party Advisory
https://github.com/node-formidable/formidable/issues/856 Issue Tracking Third Party Advisory
https://github.com/node-formidable/formidable/issues/862 Exploit Issue Tracking
Configurations

Configuration 1

cpe:2.3:a:formidable_project:formidable:3.1.4:*:*:*:*:node.js:*:*
Information

Published : 2022-05-16 02:15

Updated : 2023-02-09 02:15

NVD link : CVE-2022-29622

Mitre link : CVE-2022-29622

Products Affected
No products.
CWE
CWE-434