Lucene search

GoogleOSV:GHSA-H454-RQ3M-89RC

HistoryOct 22, 2023 - 9:36 p.m.

Wagtail CRX CodeRed Extensions vulnerable to Path Traversal

2023-10-2221:36:10

Google

osv.dev

wagtail crx codered

path traversal

vulnerability

software security

media serving

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

32.4%

JSON

views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS or coderedcms) before 0.22.3 allows upward protected/…%2f…%2f path traversal when serving protected media.

References

github.com/coderedcorp/coderedcms

github.com/coderedcorp/coderedcms/commit/06006cec23a723bc7d76df75ce2c2d795a447902

github.com/coderedcorp/coderedcms/compare/v0.22.2...v0.22.3

github.com/coderedcorp/coderedcms/issues/448

github.com/coderedcorp/coderedcms/pull/450

github.com/pypa/advisory-database/tree/main/vulns/coderedcms/PYSEC-2023-210.yaml

nvd.nist.gov/vuln/detail/CVE-2021-46897

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

32.4%

JSON

Related for OSV:GHSA-H454-RQ3M-89RC