ByteOS Network

Vulnerability Details :

CVE-2022-2872

Summary

Assigner-@huntrdev

Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a

Published At-21 Sep, 2022 | 09:55

Updated At-28 May, 2025 | 15:26

Unrestricted Upload of File with Dangerous Type in octoprint/octoprint

Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:@huntrdev

Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a

Published At:21 Sep, 2022 | 09:55

Updated At:28 May, 2025 | 15:26

▼CVE Numbering Authority (CNA)

Unrestricted Upload of File with Dangerous Type in octoprint/octoprint

Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.

Affected Products

Vendor

octoprint

Product

octoprint/octoprint

Versions

Affected

From unspecified before 1.8.3 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-434	CWE-434 Unrestricted Upload of File with Dangerous Type

Type: CWE

CWE ID: CWE-434

Description: CWE-434 Unrestricted Upload of File with Dangerous Type

Metrics

Version	Base score	Base severity	Vector
3.0	3.7	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Version: 3.0

Base score: 3.7

Base severity: LOW

Vector:

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

Hyperlink	Resource
https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56	x_refsource_CONFIRM
https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0	x_refsource_MISC

Hyperlink: https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56	x_refsource_CONFIRM x_transferred
https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0	x_refsource_MISC x_transferred

Hyperlink: https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56

Resource:

x_refsource_CONFIRM

x_transferred

Hyperlink: https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0

Resource:

x_refsource_MISC

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@huntr.dev

Published At:21 Sep, 2022 | 10:15

Updated At:23 Sep, 2022 | 17:58

Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Secondary	3.0	3.7	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Type: Primary

Version: 3.1

Base score: 5.4

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Type: Secondary

Version: 3.0

Base score: 3.7

Base severity: LOW

Vector:

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CPE Matches

octoprint>>octoprint>>Versions before 1.8.3(exclusive)

cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-434	Primary	security@huntr.dev

CWE ID: CWE-434

Type: Primary

Source: security@huntr.dev

References

Hyperlink	Source	Resource
https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0	security@huntr.dev	Patch Third Party Advisory
https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56	security@huntr.dev	Exploit Patch Third Party Advisory

Hyperlink: https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0

Source: security@huntr.dev

Resource:

Patch

Third Party Advisory

Hyperlink: https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56

Source: security@huntr.dev

Resource:

Exploit

Patch

Third Party Advisory

Similar CVEs

58Records found

CVE-2022-0950

Matching Score-4

Assigner-Protect AI (formerly huntr.dev)

View Details

Matching Score-4

Assigner-Protect AI (formerly huntr.dev)

CVSS Score-6.5||MEDIUM

EPSS-0.62% / 45.35%

7 Day CHG~0.00%

Published-15 Mar, 2022 | 08:20

Updated-02 Aug, 2024 | 23:47

Unrestricted Upload of File with Dangerous Type in star7th/showdoc

Unrestricted Upload of File with Dangerous Type in GitHub repository star7th/showdoc prior to 2.10.4.

Vendor-showdoc star7th

Product-showdoc star7th/showdoc

CWE ID-CWE-434

Unrestricted Upload of File with Dangerous Type

CVE-2022-1045

Matching Score-4

Assigner-Protect AI (formerly huntr.dev)

View Details

Matching Score-4

Assigner-Protect AI (formerly huntr.dev)

CVSS Score-9||CRITICAL

EPSS-1.52% / 71.32%

7 Day CHG~0.00%

Published-11 Apr, 2022 | 06:15

Updated-02 Aug, 2024 | 23:47

Stored XSS viva .svg file upload in polonel/trudesk

Stored XSS viva .svg file upload in GitHub repository polonel/trudesk prior to v1.2.0.

Vendor-trudesk_project polonel

Product-trudesk polonel/trudesk

CWE ID-CWE-434

Unrestricted Upload of File with Dangerous Type

CVE-2024-13355

Matching Score-4

Assigner-Wordfence

View Details

Matching Score-4

Assigner-Wordfence

CVSS Score-5.4||MEDIUM

EPSS-0.36% / 27.54%

7 Day CHG~0.00%

Published-16 Jan, 2025 | 09:39

Updated-15 Apr, 2026 | 00:35

Admin and Customer Messages After Order for WooCommerce <= 13.2 - Authenticated (Subscriber+) Limited File Upload to Cross-Site Scripting

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.

Vendor-nmedia

Product-Admin and Customer Messages After Order for WooCommerce: OrderConvo

CWE ID-CWE-434

Unrestricted Upload of File with Dangerous Type

CVE-2024-11390

Matching Score-4

Assigner-Elastic

View Details

Matching Score-4

Assigner-Elastic

CVSS Score-5.4||MEDIUM

EPSS-0.27% / 18.52%

7 Day CHG~0.00%

Published-01 May, 2025 | 13:11

Updated-01 Oct, 2025 | 19:29

Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.

Vendor-Elasticsearch BV

Product-kibana Kibana

CWE ID-CWE-434

Unrestricted Upload of File with Dangerous Type

CVE-2024-10584

Matching Score-4

Assigner-Wordfence

View Details

Matching Score-4

Assigner-Wordfence

CVSS Score-5.4||MEDIUM

EPSS-0.28% / 19.93%

7 Day CHG~0.00%

Published-24 Dec, 2024 | 11:09

Updated-08 Apr, 2026 | 16:49

DirectoryPress <= 3.6.16 - Authenticated (Author+) Stored Cross-Site Scripting

The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.6.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. When DirectoryPress Frontend is installed, this can be exploited by unauthenticated users.

Vendor-designinvento

Product-DirectoryPress – Business Directory And Classified Ad Listing

CWE ID-CWE-434

Unrestricted Upload of File with Dangerous Type

CVE-2022-0945

Matching Score-4

Assigner-Protect AI (formerly huntr.dev)

View Details

Matching Score-4

Assigner-Protect AI (formerly huntr.dev)

CVSS Score-9||CRITICAL

EPSS-0.80% / 51.80%