CVE-2023-0265: Uvdesk remote code execution vulnerability

April 5, 2023 (updated February 13, 2025)

Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers.

References

fluidattacks.com/advisories/supply
github.com/advisories/GHSA-2hw6-4rv9-82fp
github.com/uvdesk/community-skeleton
nvd.nist.gov/vuln/detail/CVE-2023-0265

Code Behaviors & Features

Detect and mitigate CVE-2023-0265 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →