CVE-2022-45338
HIGHExactsoftware Exact Synergy - Unrestricted File Upload
Title source: ruleDescription
An arbitrary file upload vulnerability in the profile picture upload function of Exact Synergy Enterprise 267 before 267SP13 and Exact Synergy Enterprise 500 before 500SP6 allows attackers to execute arbitrary code via a crafted SVG file.
References (1)
Core 1
Core References
Third Party Advisory
https://gist.github.com/MaxRozendaal/633b34a4675b60caed736e5ffe28f272
Scores
CVSS v3
7.8
EPSS
0.0006
EPSS Percentile
19.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
exactsoftware/exact_synergy
267 (13 CPE variants)
exactsoftware/exact_synergy
500 (6 CPE variants)
Published
Dec 15, 2022
Tracked Since
Feb 18, 2026