CVE-2023-26961

Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files (e.g., JavaScript content for stored XSS) via the type field in a JSON document within a PUT /gallery/api/media request.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
alteryxalteryx_server
2022.1.1.42590
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://alteryx.com
https://gist.github.com/DylanGrl/4269ae834c5d0ec77c9b928ad35d3be3
http://alteryx.com
https://gist.github.com/DylanGrl/4269ae834c5d0ec77c9b928ad35d3be3