CVE-2022-32177
CRITICALGin-vue-admin < 2.5.2 - Unrestricted File Upload
Title source: ruleDescription
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the 'Normal Upload' functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin’s cookie leading to account takeover.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/flipped-aurora/gin-vue-admin/blob/v2.5.3beta/web/src/components/upload/common.vue#L29-L37
Exploit, Third Party Advisory
https://www.mend.io/vulnerability-database/CVE-2022-32177
Scores
CVSS v3
9.0
EPSS
0.0070
EPSS Percentile
72.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
gin-vue-admin_project/gin-vue-admin
2.5.3 beta
gin-vue-admin_project/gin-vue-admin
2.5.1 - 2.5.2
Published
Oct 14, 2022
Tracked Since
Feb 18, 2026