CVE-2022-41951 HIGH

CVE-2022-41951: OroPlatform vulnerable to path traversal during temporary file manipulations

Vendor Oroinc
Product platform
Weakness CWE-22 · Path traversal
Published November 27, 2023
Last update August 3, 2024

CVSS base score

8.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

OroPlatform is a PHP Business Application Platform (BAP) designed to make development of custom business applications easier and faster. Path Traversal is possible in `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName`. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. This vulnerability has been fixed in version 5.0.9.

Key dates

02Disclosure timeline

November 27, 2023 CVE published
August 3, 2024 Record updated