Home > Vulnerability Database > CVE-2022-23626

Mend.io Vulnerability Database

CVE-2022-23626

Good to know:

Date: February 8, 2022

m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Language: PHP

Severity Score

8.8

Related Resources (5)

Url: https://github.com/m1k1o/blog/commit/6f5e59f1401c4a3cf2e518aa85b231ea14e8a2ef

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-23626

Url: https://github.com/m1k1o/blog/security/advisories/GHSA-wmqj-5v54-24x4

Url: http://packetstormsecurity.com/files/167235/m1k1os-Blog-1.3-Remote-Code-Execution.html

Url: https://www.mend.io/vulnerability-database/CVE-2022-23626

Severity Score

8.8

Weakness Type (CWE)

Input Validation

CWE-20

Unrestricted Upload of File with Dangerous Type

CWE-434

Unchecked Return Value

CWE-252

Top Fix

Upgrade Version

Upgrade to version v1.4

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-23626

Good to know:

Date: February 8, 2022

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?