Budibase
CVE-2022-3225
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20.
AnalysisAI
Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-913. Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20. Affected products include: Budibase. Version information: prior to 1.3.20..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal
Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection att
Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]
Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the app
Server-Side Request Forgery (SSRF) in Budibase's REST datasource connector (versions prior to 3.33.4) allows authenticat
Authentication bypass in Budibase low-code platform (versions prior to 3.35.4) allows remote unauthenticated attackers t
Remote code execution in Budibase versions prior to 3.33.4 allows unauthenticated attackers to execute arbitrary Bash co
Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension re
Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escal
Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute
Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated
Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today