An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Arbitrary File Upload. The BaseController class, that each of the service controllers derives from, allows for the upload of arbitrary files. If the HTTP request is a multipart/form-data POST request, any parameters with a filename entry will have their content written to a file in the Vocera upload-staging directory with the specified filename in the parameter.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:31
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.stryker.com/us/en/about/governance/cyber-security/product-security/ - Not Applicable | |
References | () https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html - Third Party Advisory |
01 Aug 2023, 01:28
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CPE | cpe:2.3:a:vocera:report_server:*:*:*:*:*:*:*:* cpe:2.3:a:vocera:voice_server:*:*:*:*:*:*:*:* |
|
First Time |
Vocera
Vocera report Server Vocera voice Server |
|
CWE | CWE-434 | |
References | (MISC) https://www.stryker.com/us/en/about/governance/cyber-security/product-security/ - Not Applicable | |
References | (MISC) https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html - Third Party Advisory |
25 Jul 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-25 20:15
Updated : 2024-11-21 07:31
NVD link : CVE-2022-46899
Mitre link : CVE-2022-46899
CVE.ORG link : CVE-2022-46899
JSON object : View
Products Affected
vocera
- voice_server
- report_server
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type