CVE-2021-42342

CRITICAL

Embedthis Goahead < 4.1.3 - Unrestricted File Upload

Title source: rule

Description

An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts.

Exploits (2)

nomisec WORKING POC 22 stars

by kimusan · poc

https://github.com/kimusan/goahead-webserver-pre-5.1.5-RCE-PoC-CVE-2021-42342-

View Code ZIP pw:eip

inthewild WORKING POC

poc

https://github.com/mr-xn/cve-2021-42342

View Code ZIP pw:eip

References (1)

[Third Party Advisory] https://github.com/embedthis/goahead/issues/305

Scores

CVSS v3 9.8

EPSS 0.7760

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

embedthis/goahead 4.0.0 - 4.1.3

Published Oct 14, 2021

Tracked Since Feb 18, 2026