CVE-2024-29272

MEDIUM6.5EPSS 89.4%

VvvebJs Arbitrary File Upload vulnerability

Published: 3/22/2024Modified: 8/2/2024

Description

Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php.

Affected packages (1)

npm/vvvebJsfrom 0, < 1.7.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-29272
PATCHhttps://github.com/givanz/VvvebJs
WEBhttps://github.com/givanz/VvvebJs/commit/c6422cfd4d835c2fa6d512645e30015f24538ef0
WEBhttps://github.com/givanz/VvvebJs/issues/343