CVE-2022-1811

CRITICAL9.1EPSS 0.19%

Publify vulnerable to cross site scripting

Published: 5/24/2022Modified: 2/16/2024

Also known as:GHSA-3hwx-c6cp-q972BIT-publify-2022-1811

Description

Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file. Stored XSS may be obtained.

Affected packages (2)

Bitnami/publifyfrom 0, < 9.2.9
RubyGems/publify_corefrom 0, < 9.2.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-1811
PATCHhttps://github.com/publify/publify
WEBhttps://github.com/publify/publify/commit/0fb6b027fbaf17f6a6551f2148482a03eac12927
WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-1811.yml
WEBhttps://huntr.dev/bounties/4d97f665-c9f1-4c38-b774-692255a7c44c