CVE-2022-32176

Published: Oct 17, 2022Modified: May 27, 2025

9.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: NVD

Description

In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin's cookie leading to account takeover.

Affected (1)

Products: Gin Vue Admin Project: Gin Vue Admin

Gin Vue Admin Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gin Vue Admin Project Gin Vue Admin	From 2.5.1 to 2.5.3b

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/image.vue#L43-L49

Source: vulnerabilitylab@mend.io

ExploitThird Party Advisory

https://www.mend.io/vulnerability-database/CVE-2022-32176

Source: vulnerabilitylab@mend.io

ExploitThird Party Advisory

https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/image.vue#L43-L49

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.mend.io/vulnerability-database/CVE-2022-32176

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.