Vulnerabilites related to gin-vue-admin - gin-vue-admin
CVE-2022-32177 (GCVE-0-2022-32177)
Vulnerability from cvelistv5
Published
2022-10-14 07:00
Modified
2025-05-14 15:19
Severity ?
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the 'Normal Upload' functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin’s cookie leading to account takeover.
Impacted products
Vendor Product Version
gin-vue-admin gin-vue-admin Version: v2.5.1   < unspecified
Version: unspecified   <
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:32:55.999Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mend.io/vulnerability-database/CVE-2022-32177"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/common.vue#L29-L37"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-32177",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-14T15:18:31.840168Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-14T15:19:24.105Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gin-vue-admin",
          "vendor": "gin-vue-admin",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "v2.5.1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "v2.5.3beta",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mend Vulnerability Research Team (MVR)"
        }
      ],
      "datePublic": "2022-10-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In \"Gin-Vue-Admin\", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the \u0027Normal Upload\u0027 functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin\u2019s cookie leading to account takeover."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
              "version": 3.1
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-14T00:00:00.000Z",
        "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "shortName": "Mend"
      },
      "references": [
        {
          "url": "https://www.mend.io/vulnerability-database/CVE-2022-32177"
        },
        {
          "url": "https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/common.vue#L29-L37"
        }
      ],
      "source": {
        "advisory": "https://www.mend.io/vulnerability-database/",
        "discovery": "UNKNOWN"
      },
      "title": "Gin-vue-admin - Unrestricted File Upload",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
    "assignerShortName": "Mend",
    "cveId": "CVE-2022-32177",
    "datePublished": "2022-10-14T07:00:14.339Z",
    "dateReserved": "2022-05-31T00:00:00.000Z",
    "dateUpdated": "2025-05-14T15:19:24.105Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-32176 (GCVE-0-2022-32176)
Vulnerability from cvelistv5
Published
2022-10-17 18:25
Modified
2025-05-10 02:53
Severity ?
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin's cookie leading to account takeover.
Impacted products
Vendor Product Version
gin-vue-admin gin-vue-admin Version: v2.5.1   < unspecified
Version: unspecified   <
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:32:55.987Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mend.io/vulnerability-database/CVE-2022-32176"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/image.vue#L43-L49"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-32176",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-10T02:52:36.253724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-10T02:53:12.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gin-vue-admin",
          "vendor": "gin-vue-admin",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "v2.5.1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "v2.5.3b",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mend Vulnerability Research Team (MVR)"
        }
      ],
      "datePublic": "2022-10-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In \"Gin-Vue-Admin\", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the \"Compress Upload\" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin\u0027s cookie leading to account takeover."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
              "version": 3.1
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-17T00:00:00.000Z",
        "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "shortName": "Mend"
      },
      "references": [
        {
          "url": "https://www.mend.io/vulnerability-database/CVE-2022-32176"
        },
        {
          "url": "https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/image.vue#L43-L49"
        }
      ],
      "source": {
        "advisory": "https://www.mend.io/vulnerability-database/",
        "discovery": "UNKNOWN"
      },
      "title": "Gin-vue-admin - Unrestricted File Upload",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
    "assignerShortName": "Mend",
    "cveId": "CVE-2022-32176",
    "datePublished": "2022-10-17T18:25:09.233Z",
    "dateReserved": "2022-05-31T00:00:00.000Z",
    "dateUpdated": "2025-05-10T02:53:12.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}