CVE-2022-45338
HIGHExact Synergy Enterprise < 267SP13 and < 500SP6 - Arbitrary File Upload via Profile Picture SVG
Title source: llmDescription
An arbitrary file upload vulnerability in the profile picture upload function of Exact Synergy Enterprise 267 before 267SP13 and Exact Synergy Enterprise 500 before 500SP6 allows attackers to execute arbitrary code via a crafted SVG file.
References (1)
Core 1
Core References
Third Party Advisory
https://gist.github.com/MaxRozendaal/633b34a4675b60caed736e5ffe28f272
Scores
CVSS v3
7.8
EPSS
0.0022
EPSS Percentile
12.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
exactsoftware/exact_synergy
267 (13 CPE variants)
exactsoftware/exact_synergy
500 (6 CPE variants)
Published
Dec 15, 2022
Tracked Since
Feb 18, 2026