m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been…
GitHub_M·CWE-20·Published 2022-02-08
m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
m1k1o/blog es un blog PHP ligero y auto-alojado al estilo de Facebook. Los errores de las funciones "imagecreatefrom*" y "image*" no han sido comprobados apropiadamente. Aunque PHP emitía advertencias y la función de carga devolvía "false", el archivo original (que podría contener una carga maliciosa) era mantenido en el disco. Es reacomendado a usuarios actualizar lo antes posible. No hay medidas de mitigación adicionales conocidas para este problema
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 6.5 | 8.0 | 6.4 | AV:N/AC:L/Au:S/C:P/I:P/A:P |
| 3.1 | Primary | NVD | 8.8 | 2.8 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 8.5 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 8.5 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | Secondary | NVD | 8.5 | 1.8 | 6.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |