CVE-2022-32177

Published: Oct 14, 2022Modified: May 14, 2025

9.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: NVD

Description

In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the 'Normal Upload' functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin’s cookie leading to account takeover.

Affected (2)

Products: Gin Vue Admin Project: Gin Vue Admin

Gin Vue Admin Project

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Gin Vue Admin Project Gin Vue Admin	From 2.5.1 to 2.5.2
Gin Vue Admin Project Gin Vue Admin	Version 2.5.3 beta

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/common.vue#L29-L37

Source: vulnerabilitylab@mend.io

ExploitThird Party Advisory

https://www.mend.io/vulnerability-database/CVE-2022-32177

Source: vulnerabilitylab@mend.io

ExploitThird Party Advisory

https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/common.vue#L29-L37

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.mend.io/vulnerability-database/CVE-2022-32177

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.