CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24807
https://notcve.org/view.php?id=CVE-2020-24807
06 Oct 2020 — The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer El paquete socket.io-file hasta versión 2.0.31 para Node.js se basa en la comprobación del lado del cliente de los tipos de archivos, lo que permite a atacantes remotos ejecutar código arbitrario ... • https://github.com/advisories/GHSA-6495-8jvh-f28x • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15779
https://notcve.org/view.php?id=CVE-2020-15779
15 Jul 2020 — A Path Traversal issue was discovered in the socket.io-file package through 2.0.31 for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path. Se detectó un problema de Salto de Ruta en el paquete socket.io-file versiones hasta 2.0.31 para Node.js. El mensaje de socket.io-file::createFile usa path.join con ../ en la opción de nombre, y las opciones uploadDir y rename determinan la ruta • https://github.com/advisories/GHSA-9h4g-27m8-qjrg • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •