CVE-2022-27952

Vulnerability

An arbitrary file upload vulnerability exists in the file upload module of PayloadCMS version 0.15.0 [2]. The vulnerability allows an attacker to upload a crafted SVG file that bypasses file type validation, potentially leading to arbitrary code execution on the server.

Exploitation

An attacker with access to the file upload functionality can upload a specially crafted SVG file containing malicious code [2]. The lack of proper sanitization or validation of SVG content enables the attacker to execute arbitrary code on the underlying server.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the server, which can lead to full compromise of the CMS, including data theft, modification, or further network attacks [2].

Mitigation

As of the publication date (2022-04-12), no official fix or workaround has been disclosed in the available references [2]. Users of PayloadCMS v0.15.0 should monitor the project's GitHub repository for updates and consider restricting file upload functionality to trusted users only until a patch is released.