{"url":"http://public2.vulnerablecode.io/api/packages/441430?format=json","purl":"pkg:composer/oneup/uploader-bundle@1.8.3","type":"composer","namespace":"oneup","name":"uploader-bundle","version":"1.8.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.1.5","latest_non_vulnerable_version":"2.1.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40800?format=json","vulnerability_id":"VCID-esks-k3fy-wkb2","summary":"Relative Path Traversal (CWE-23) in chunked uploads in oneup/uploader-bundle\n### Impact\nThe vulnerability was identified in the web service for a chunked file\nupload. While the names of the POST parameters vary with the used\nfrontend, their values are always used in the same way to build a path\nwhere the chunks are stored and assembled temporarily. By not validating\nthese parameters properly, OneupUploaderBundle is susceptible to a path\ntraversal vulnerability which can be exploited to upload files to\narbitrary folders on the filesystem. The assembly process can further be\nmisused with some restrictions to delete and copy files to other\nlocations.\n\nThe vulnerability can be exploited by any users that have legitimate\naccess to the upload functionality and can lead to arbitrary code\nexecution, denial of service and disclosure of confidential information.\n\n### Patches\nYes, see version 1.9.3 and 2.1.5.\n\n### References\nhttps://owasp.org/www-community/attacks/Path_Traversal\n\n### Credits:\nThis security vulnerability was found by Thibaud Kehler of SySS GmbH.\nE-Mail: thibaud.kehler@syss.de","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5237","reference_id":"","reference_type":"","scores":[{"value":"0.05244","scoring_system":"epss","scoring_elements":"0.90114","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5237"},{"reference_url":"https://github.com/1up-lab/OneupUploaderBundle/commit/a6011449b716f163fe1ae323053077e59212350c","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/1up-lab/OneupUploaderBundle/commit/a6011449b716f163fe1ae323053077e59212350c"},{"reference_url":"https://github.com/1up-lab/OneupUploaderBundle/security/advisories/GHSA-x8wj-6m73-gfqp","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/1up-lab/OneupUploaderBundle/security/advisories/GHSA-x8wj-6m73-gfqp"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/oneup/uploader-bundle/CVE-2020-5237.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/oneup/uploader-bundle/CVE-2020-5237.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5237","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5237"},{"reference_url":"https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-003.txt","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-003.txt"},{"reference_url":"https://github.com/advisories/GHSA-x8wj-6m73-gfqp","reference_id":"GHSA-x8wj-6m73-gfqp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x8wj-6m73-gfqp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74344?format=json","purl":"pkg:composer/oneup/uploader-bundle@1.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-esks-k3fy-wkb2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/oneup/uploader-bundle@1.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/74342?format=json","purl":"pkg:composer/oneup/uploader-bundle@2.1.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/oneup/uploader-bundle@2.1.5"}],"aliases":["CVE-2020-5237","GHSA-x8wj-6m73-gfqp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-esks-k3fy-wkb2"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/oneup/uploader-bundle@1.8.3"}