CVE-2021-42342

An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts.

Published: Oct 14, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-42342
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
embedthis / goahead	5.0.0	5.1.5
embedthis / goahead	4.0.0	4.1.3.x

https://github.com/embedthis/goahead/issues/305

Vulnerability Database

289,784

CVE-2021-42342