CVE-2021-47746

NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write

CVSS 8.6 HIGHEPSS 0.7%CWE-73

NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

NodeBB · NodeBB Plugin Emoji

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/NodeBB/nodebb-plugin-emoji https://nodebb.org/https://www.exploit-db.com/exploits/49813 https://www.vulncheck.com/advisories/nodebb-plugin-emoji-arbitrary-file-write