Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files (e.g., JavaScript content for stored XSS) via the type field in a JSON document within a PUT /gallery/api/media request.
References
Link | Resource |
---|---|
http://alteryx.com | Vendor Advisory |
https://gist.github.com/DylanGrl/4269ae834c5d0ec77c9b928ad35d3be3 | Exploit Third Party Advisory |
Configurations
History
21 Aug 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files (e.g., JavaScript content for stored XSS) via the type field in a JSON document within a PUT /gallery/api/media request. |
14 Aug 2023, 14:19
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://alteryx.com - Vendor Advisory | |
References | (MISC) https://gist.github.com/DylanGrl/4269ae834c5d0ec77c9b928ad35d3be3 - Exploit, Third Party Advisory | |
CWE | CWE-79 | |
CPE | cpe:2.3:a:alteryx:alteryx_server:2022.1.1.42590:*:*:*:*:*:*:* | |
First Time |
Alteryx alteryx Server
Alteryx |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
08 Aug 2023, 20:39
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-08 20:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-26961
Mitre link : CVE-2023-26961
CVE.ORG link : CVE-2023-26961
JSON object : View
Products Affected
alteryx
- alteryx_server
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')