Headline
CVE-2022-23626: Insufficient checking of uploaded files
m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions imagecreatefrom*
and image*
have not been checked properly. Although PHP issued warnings and the upload function returned false
, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Errors from functions imagecreatefrom* and image* have not been checked properly. Although PHP issued warning and function returned false, original file (that could contain malicious payload) was kept on the disk.
Impact
All versions until v1.3.
Patches
Users should upgrade to v1.4.
Related news
m1k1o's Blog versions 1.3 and below suffer from an authenticated remote code execution vulnerability.