Vulnerabilites related to bolt - bolt
cve-2020-4041
Vulnerability from cvelistv5
Published
2020-06-08 22:05
Modified
2024-08-04 07:52
Severity ?
EPSS score ?
Summary
In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. This is fixed in Bolt 3.7.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bolt/bolt/pull/7853 | x_refsource_MISC | |
| https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f | x_refsource_MISC | |
| https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Jul/4 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bolt/bolt/pull/7853"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html"
},
{
"name": "20200703 Bolt CMS \u003c= 3.7.0 Multiple Vulnerabilities - CSRF to RCE",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Jul/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bolt",
"vendor": "bolt",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. This is fixed in Bolt 3.7.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-03T18:06:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bolt/bolt/pull/7853"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html"
},
{
"name": "20200703 Bolt CMS \u003c= 3.7.0 Multiple Vulnerabilities - CSRF to RCE",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Jul/4"
}
],
"source": {
"advisory": "GHSA-68q3-7wjp-7q3j",
"discovery": "UNKNOWN"
},
"title": "The filename of uploaded files vulnerable to stored XSS in Bolt CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-4041",
"STATE": "PUBLIC",
"TITLE": "The filename of uploaded files vulnerable to stored XSS in Bolt CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bolt",
"version": {
"version_data": [
{
"version_value": "\u003c 3.7.1"
}
]
}
}
]
},
"vendor_name": "bolt"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Bolt CMS before version 3.7.1, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented. This is fixed in Bolt 3.7.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bolt/bolt/pull/7853",
"refsource": "MISC",
"url": "https://github.com/bolt/bolt/pull/7853"
},
{
"name": "https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f",
"refsource": "MISC",
"url": "https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f"
},
{
"name": "https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j",
"refsource": "CONFIRM",
"url": "https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j"
},
{
"name": "http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html"
},
{
"name": "20200703 Bolt CMS \u003c= 3.7.0 Multiple Vulnerabilities - CSRF to RCE",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/Jul/4"
}
]
},
"source": {
"advisory": "GHSA-68q3-7wjp-7q3j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-4041",
"datePublished": "2020-06-08T22:05:14",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-08-04T07:52:20.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-4040
Vulnerability from cvelistv5
Published
2020-06-08 22:00
Modified
2024-08-04 07:52
Severity ?
EPSS score ?
Summary
Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8 | x_refsource_CONFIRM | |
| https://github.com/bolt/bolt/pull/7853 | x_refsource_MISC | |
| https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f | x_refsource_MISC | |
| http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Jul/4 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bolt/bolt/pull/7853"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html"
},
{
"name": "20200703 Bolt CMS \u003c= 3.7.0 Multiple Vulnerabilities - CSRF to RCE",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Jul/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bolt",
"vendor": "bolt",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-03T18:06:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bolt/bolt/pull/7853"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html"
},
{
"name": "20200703 Bolt CMS \u003c= 3.7.0 Multiple Vulnerabilities - CSRF to RCE",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Jul/4"
}
],
"source": {
"advisory": "GHSA-2q66-6cc3-6xm8",
"discovery": "UNKNOWN"
},
"title": "CSRF issue on preview pages in Bolt CMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-4040",
"STATE": "PUBLIC",
"TITLE": "CSRF issue on preview pages in Bolt CMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bolt",
"version": {
"version_data": [
{
"version_value": "\u003c 3.7.1"
}
]
}
}
]
},
"vendor_name": "bolt"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8",
"refsource": "CONFIRM",
"url": "https://github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8"
},
{
"name": "https://github.com/bolt/bolt/pull/7853",
"refsource": "MISC",
"url": "https://github.com/bolt/bolt/pull/7853"
},
{
"name": "https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f",
"refsource": "MISC",
"url": "https://github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f"
},
{
"name": "http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html"
},
{
"name": "20200703 Bolt CMS \u003c= 3.7.0 Multiple Vulnerabilities - CSRF to RCE",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/Jul/4"
}
]
},
"source": {
"advisory": "GHSA-2q66-6cc3-6xm8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-4040",
"datePublished": "2020-06-08T22:00:16",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-08-04T07:52:20.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}