CVE-2022-27952: Unrestricted Upload of File with Dangerous Type

April 13, 2022 (updated April 22, 2022)

An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.

References

github.com/advisories/GHSA-w8xh-93qh-35vw
github.com/payloadcms/payload
nvd.nist.gov/vuln/detail/CVE-2022-27952
www.youtube.com/watch?v=6CfhAxA3xdQ

Code Behaviors & Features

Detect and mitigate CVE-2022-27952 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →