CVE-2022-2102
24.06.2022, 15:15
Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed.Enginsight
| Vendor | Product | Version |
|---|---|---|
| secheron | sepcos_control_and_protection_relay_firmware | 1.23.0 ≤ 𝑥 < 1.23.21 |
| secheron | sepcos_control_and_protection_relay_firmware | 1.24.0 ≤ 𝑥 < 1.24.8 |
| secheron | sepcos_control_and_protection_relay_firmware | 1.25.0 ≤ 𝑥 < 1.25.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-841 - Improper Enforcement of Behavioral WorkflowThe software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
- CWE-434 - Unrestricted Upload of File with Dangerous TypeThe software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.