CVE-2021-42192

moderate-risk
Published 2022-05-04

Konga v0.14.9 is affected by an incorrect access control vulnerability where a specially crafted request can lead to privilege escalation.

Do I need to act?

!
23.5% chance of exploitation in next 30 days
EPSS score — higher than 77% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Konga Project

References (10)

Exploit https://docs.google.com/document/d/1-YU9zWiDVUps3Mb6zos3996yvZ48vW_vfOvaJLLHc4I/...
Product https://github.com/pantsel/konga/
https://github.com/pantsel/konga/commit/d61535277aced18b5be0313ab2d124f60f649978
Exploit https://github.com/whokilleddb/Konga-Privilege-Escalation-Exploit
Exploit https://www.exploit-db.com/exploits/50521
Exploit https://docs.google.com/document/d/1-YU9zWiDVUps3Mb6zos3996yvZ48vW_vfOvaJLLHc4I/...
Product https://github.com/pantsel/konga/
https://github.com/pantsel/konga/commit/d61535277aced18b5be0313ab2d124f60f649978
Exploit https://github.com/whokilleddb/Konga-Privilege-Escalation-Exploit
Exploit https://www.exploit-db.com/exploits/50521
49
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 14/34 · Moderate
Exposure 5/34 · Minimal