CVE-2023-26961

Published: Aug 8, 2023Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files (e.g., JavaScript content for stored XSS) via the type field in a JSON document within a PUT /gallery/api/media request.

Affected (1)

Products: Alteryx: Alteryx Server

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Alteryx Alteryx Server	Version 2022.1.1.42590

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

http://alteryx.com

Source: cve@mitre.org

Vendor Advisory

https://gist.github.com/DylanGrl/4269ae834c5d0ec77c9b928ad35d3be3

Source: cve@mitre.org

ExploitThird Party Advisory

http://alteryx.com

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://gist.github.com/DylanGrl/4269ae834c5d0ec77c9b928ad35d3be3

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.