CVE-2022-45338

Published: Dec 15, 2022Modified: Apr 21, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An arbitrary file upload vulnerability in the profile picture upload function of Exact Synergy Enterprise 267 before 267SP13 and Exact Synergy Enterprise 500 before 500SP6 allows attackers to execute arbitrary code via a crafted SVG file.

Affected (19)

Products: Exactsoftware: Exact Synergy

Exactsoftware

1 product

Exact Synergy

Configuration A

19 vulnerable

Vulnerable Software	Affected Versions
Exactsoftware Exact Synergy	Version 267
Exactsoftware Exact Synergy	Version 267 sp10
Exactsoftware Exact Synergy	Version 267 sp11
Exactsoftware Exact Synergy	Version 267 sp12
Exactsoftware Exact Synergy	Version 267 sp1
Exactsoftware Exact Synergy	Version 267 sp2
Exactsoftware Exact Synergy	Version 267 sp3
Exactsoftware Exact Synergy	Version 267 sp4
Exactsoftware Exact Synergy	Version 267 sp5
Exactsoftware Exact Synergy	Version 267 sp6
Exactsoftware Exact Synergy	Version 267 sp7
Exactsoftware Exact Synergy	Version 267 sp8
Exactsoftware Exact Synergy	Version 267 sp9
Exactsoftware Exact Synergy	Version 500
Exactsoftware Exact Synergy	Version 500 sp1
Exactsoftware Exact Synergy	Version 500 sp2
Exactsoftware Exact Synergy	Version 500 sp3
Exactsoftware Exact Synergy	Version 500 sp4
Exactsoftware Exact Synergy	Version 500 sp5

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://gist.github.com/MaxRozendaal/633b34a4675b60caed736e5ffe28f272

Source: cve@mitre.org

Third Party Advisory

https://gist.github.com/MaxRozendaal/633b34a4675b60caed736e5ffe28f272

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.