Description

The web application uses Refinery CMS. This version of Refinery CMS depends on Dragonfly gem that has an arbitrary file read/write vulnerability. Successful exploitation of the vulnerability can result in takeover of the server.

Remediation

Upgrade to the latest version of Dragonfly gem

References

CVE-2021-33564 Argument Injection in Ruby Dragonfly

Related Vulnerabilities

VMware vCenter Log4Shell RCE

WordPress Plugin Subscribe to Comments Unsubscribe Challenge Information Disclosure (2.0.2)

WordPress Plugin Advanced Custom Fields (ACF) Information Disclosure (6.0.2)

WordPress Plugin WP STAGING WordPress Backup-Migration Backup Restore Information Disclosure (3.4.3)

JVM version leakage

Severity

High

Classification

CVE-2021-33564 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Tags

Information Disclosure Directory Traversal Arbitrary File Creation Unauthenticated File Upload