Description

Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files (e.g., JavaScript content for stored XSS) via the type field in a JSON document within a PUT /gallery/api/media request.

Related CPE's

a

alteryx

alteryx_server

2022.1.1.42590

Vulnerable

References

http://alteryx.com

Vendor Advisory

https://gist.github.com/DylanGrl/4269ae834c5d0ec77c9b928ad35d3be3

ExploitThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-79

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

4.8 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2023-08-08T20:15:10.080

11 months ago

Last modified

2023-08-21T17:15:46.583

11 months ago