CVE-2022-32176
CRITICALGin-vue-admin < 2.5.3b - Unrestricted File Upload
Title source: ruleDescription
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin's cookie leading to account takeover.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/image.vue#L43-L49
Exploit, Third Party Advisory
https://www.mend.io/vulnerability-database/CVE-2022-32176
Scores
CVSS v3
9.0
EPSS
0.0064
EPSS Percentile
70.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (1)
gin-vue-admin_project/gin-vue-admin
2.5.1 - 2.5.3b
Published
Oct 17, 2022
Tracked Since
Feb 18, 2026