GHSA-2hw6-4rv9-82fp

Source

https://github.com/advisories/GHSA-2hw6-4rv9-82fp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-2hw6-4rv9-82fp/GHSA-2hw6-4rv9-82fp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2hw6-4rv9-82fp

Aliases

CVE-2023-0265

Published

2023-04-05T00:30:39Z

Modified

2026-02-03T03:29:24.866875Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Uvdesk remote code execution vulnerability

Details

Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers.

Database specific

{
    "nvd_published_at": "2023-04-04T22:15:00Z",
    "severity": "HIGH",
    "github_reviewed_at": "2023-04-11T21:58:45Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "github_reviewed": true
}

References

Affected packages

Packagist / uvdesk/community-skeleton

Package

Name: uvdesk/community-skeleton
Purl: pkg:composer/uvdesk/community-skeleton

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.1.1

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.0.10

v1.0.11

v1.0.12

v1.0.13

v1.0.14

v1.0.16

v1.0.17

v1.0.18

v1.1.0

v1.1.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-2hw6-4rv9-82fp/GHSA-2hw6-4rv9-82fp.json"