m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/167235/m1k1os-Blog-1.3-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
https://github.com/m1k1o/blog/commit/6f5e59f1401c4a3cf2e518aa85b231ea14e8a2ef | Patch Third Party Advisory |
https://github.com/m1k1o/blog/security/advisories/GHSA-wmqj-5v54-24x4 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-02-08T22:00:12
Updated: 2022-05-23T15:06:06
Reserved: 2022-01-19T00:00:00
Link: CVE-2022-23626
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-02-08T22:15:07.817
Modified: 2023-07-13T16:08:17.083
Link: CVE-2022-23626
JSON object: View
Redhat Information
No data.