Description

The web application uses Refinery CMS. This version of Refinery CMS depends on Dragonfly gem that has an arbitrary file read/write vulnerability. Successful exploitation of the vulnerability can result in takeover of the server.

Remediation

Upgrade to the latest version of Dragonfly gem

References

CVE-2021-33564 Argument Injection in Ruby Dragonfly

Related Vulnerabilities

WordPress Plugin SL User Create Information Disclosure (0.2.4)

Go web application binary disclosure

WordPress Plugin Log Emails Information Disclosure (1.0.6)

MongoDB HTTP status interface

WordPress Plugin Candidate Application Form Arbitrary File Disclosure (1.6)

Severity

High

Classification

CVE-2021-33564 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Tags

Information Disclosure Directory Traversal Arbitrary File Creation Unauthenticated File Upload