CVE-2022-23626
moderate-risk
Published 2022-02-08
m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Do I need to act?
~
4.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.5/10
High
NETWORK
/ HIGH complexity
Affected Products (1)
Blog
Affected Vendors
References (6)
Third Party Advisory
https://github.com/m1k1o/blog/security/advisories/GHSA-wmqj-5v54-24x4
Third Party Advisory
https://github.com/m1k1o/blog/security/advisories/GHSA-wmqj-5v54-24x4
37
/ 100
moderate-risk
Severity
25/34 · High
Exploitability
7/34 · Low
Exposure
5/34 · Minimal