Miggo Logo

CVE-2022-27952: Unrestricted Upload of File with Dangerous Type in Payload

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.75389%
Published
4/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
payloadnpm<= 0.15.00.15.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information describes the vulnerability (CVE-2022-27952) as an unrestricted file upload in PayloadCMS v0.15.0, but does not include specific code examples, commit diffs, or file paths that would allow precise identification of vulnerable functions. While the vulnerability clearly exists in the file upload module's handling of SVG files, the advisory materials and linked resources don't disclose implementation details about the upload validation logic, specific function names, or file locations. Without access to the actual pre-patch source code or patch diff for version 0.15.0, we cannot confidently identify specific vulnerable functions with high certainty. The vulnerability likely resides in the file type validation logic for uploads, but insufficient technical details are provided to map this to concrete function names/paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*itr*ry *il* uplo** vuln*r**ility in t** *il* uplo** mo*ul* o* P*ylo***MS v*.**.* *llows *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** SV* *il*.

Reasoning

T** provi*** in*orm*tion **s*ri**s t** vuln*r**ility (*V*-****-*****) *s *n unr*stri*t** *il* uplo** in `P*ylo***MS` v*.**.*, *ut *o*s not in*lu** sp**i*i* *o** *x*mpl*s, *ommit *i**s, or *il* p*t*s t**t woul* *llow pr**is* i**nti*i**tion o* vuln*r**