CVE-2023-7159

A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability.

CVSS v3 9.8 CRITICAL
CVSS v2.0 5.8 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:M/C:P/I:P/A:P

Exploitability : 6.4 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://note.zhaoj.in/share/FE79uijyqmG7	Broken Link
https://note.zhaoj.in/share/jNbywlXI46HV	Broken Link
https://vuldb.com/?ctiid.249181	Permissions Required Third Party Advisory
https://vuldb.com/?id.249181	Permissions Required Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:masterlab:masterlab:*:*:*:*:*:*:*:*

History

05 Jan 2024, 15:02

Type	Values Removed	Values Added
References	~~() https://vuldb.com/?id.249181 -~~	() https://vuldb.com/?id.249181 - Permissions Required, Third Party Advisory
References	~~() https://note.zhaoj.in/share/jNbywlXI46HV -~~	() https://note.zhaoj.in/share/jNbywlXI46HV - Broken Link
References	~~() https://vuldb.com/?ctiid.249181 -~~	() https://vuldb.com/?ctiid.249181 - Permissions Required, Third Party Advisory
References	~~() https://note.zhaoj.in/share/FE79uijyqmG7 -~~	() https://note.zhaoj.in/share/FE79uijyqmG7 - Broken Link
First Time		Masterlab masterlab Masterlab
CPE		cpe:2.3:a:masterlab:masterlab::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

29 Dec 2023, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-29 07:15

Updated : 2024-05-17 02:34

NVD link : CVE-2023-7159

Mitre link : CVE-2023-7159

CVE.ORG link : CVE-2023-7159

JSON object : View

Products Affected

masterlab

masterlab

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2023-7159", "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "authentication": "MULTIPLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.2}]}, "published": "2023-12-29T07:15:11.420", "references": [{"url": "https://note.zhaoj.in/share/FE79uijyqmG7", "tags": ["Broken Link"], "source": "cna@vuldb.com"}, {"url": "https://note.zhaoj.in/share/jNbywlXI46HV", "tags": ["Broken Link"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.249181", "tags": ["Permissions Required", "Third Party Advisory"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.249181", "tags": ["Permissions Required", "Third Party Advisory"], "source": "cna@vuldb.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en gopeak MasterLab hasta 3.3.10. Ha sido declarada cr\u00edtica. La funci\u00f3n add/update del archivo app/ctrl/admin/User.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento avatar conduce a una carga sin restricciones. El ataque se puede lanzar de forma remota. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-249181."}], "lastModified": "2024-05-17T02:34:14.650", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:masterlab:masterlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "650AE4B5-39D2-4607-8455-957955DF48AB", "versionEndIncluding": "3.3.10"}], "operator": "OR"}]}], "sourceIdentifier": "cna@vuldb.com"}