CVE-2021-47746
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NodeBB | NodeBB Plugin Emoji | 3.2.1 | affected |
Weaknesses
- CWE-73: External Control of File Name or Path
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://www.exploit-db.com/exploits/49813
- https://nodebb.org/
- https://github.com/NodeBB/nodebb-plugin-emoji
- https://www.vulncheck.com/advisories/nodebb-plugin-emoji-arbitrary-file-write
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.