GHSA-g8v9-c8m3-942v

Suggest an improvement
Source
https://github.com/advisories/GHSA-g8v9-c8m3-942v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8v9-c8m3-942v/GHSA-g8v9-c8m3-942v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g8v9-c8m3-942v
Aliases
  • CVE-2024-48514
Published
2024-10-24T18:30:44Z
Modified
2024-12-19T20:27:18.049146Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Remote code execution in php-heic-to-jpg
Details

php-heic-to-jpg < 1.0.5 is vulnerable to remote code execution. An attacker who can upload heic images is able to execute code on the remote server via the file name. As a result, the CIA is no longer guaranteed. This affects php-heic-to-jpg below 1.0.5.

Database specific
{
    "github_reviewed_at": "2024-10-24T21:45:54Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "nvd_published_at": "2024-10-24T18:15:10Z",
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

Packagist / maestroerror/php-heic-to-jpg

Package

Name
maestroerror/php-heic-to-jpg
Purl
pkg:composer/maestroerror/php-heic-to-jpg

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.5

Affected versions

v0.*

v0.1
v0.2
v0.3
v0.3.1
v0.3.2
v0.4.0

v1.*

v1.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4