GHSA-3922-2r6r-r4fv

Source

https://github.com/advisories/GHSA-3922-2r6r-r4fv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3922-2r6r-r4fv/GHSA-3922-2r6r-r4fv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3922-2r6r-r4fv

Aliases

CVE-2025-29287

Published

2025-04-21T15:31:25Z

Modified

2025-04-21T17:12:01.821262Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

MCMS allows arbitrary file uploads in the ueditor component

Details

An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file.

Database specific

{
    "nvd_published_at": "2025-04-21T15:15:59Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-21T16:19:45Z"
}

References

Affected packages

Maven / net.mingsoft:ms-mcms

Package

Name: net.mingsoft:ms-mcms; View open source insights on deps.dev
Purl: pkg:maven/net.mingsoft/ms-mcms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.4

Affected versions

4.*

4.6.3-SNAPSHOTS

4.6.5

4.7.1

4.7.2

5.*

5.0.0

5.0.1

5.1

5.2

5.2.0

5.2.0.RELEASE

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.10

5.2.11

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.4.0

5.4.1

5.4.2

5.4.3