GHSA-47mc-qmh2-mqj4

Suggest an improvement
Source
https://github.com/advisories/GHSA-47mc-qmh2-mqj4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-47mc-qmh2-mqj4/GHSA-47mc-qmh2-mqj4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-47mc-qmh2-mqj4
Aliases
  • CVE-2024-40400
Published
2024-07-19T21:31:11Z
Modified
2024-08-19T21:29:10.151530Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Automad arbitrary file upload vulnerability
Details

An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file.

The malicious file has to be prepared and uploaded manually by the admin. Usually there is only one admin per site and that is the owner.

References

Affected packages

Packagist / automad/automad

Package

Name
automad/automad
Purl
pkg:composer/automad/automad

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.0-alpha.5

Affected versions

1.*

1.10.9

2.*

2.0.0-alpha.1
2.0.0-alpha.2
2.0.0-alpha.3
2.0.0-alpha.4