angular-base64-upload vulnerable to unauthenticated remote code execution

Severity:: High

Description

angular-base64-upload versions prior to v0.1.21 are vulnerable to unauthenticated remote code execution via the angular-base64-upload/demo/server.php endpoint. Exploitation of this vulnerability involves uploading arbitrary file content to the server, which can subsequently accessed through the angular-base64-upload/demo/uploads endpoint.

Recommendation

Update the angular-base64-upload package to the latest compatible version. Followings are version details:

Affected version(s): < 0.1.21
Patched version(s): 0.1.21

References

GHSA-vgxq-6rcf-qwrw
www.zyenra.com
CVE-2024-42640
CWE-434
CAPEC-310
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
Angular Expressions - Remote Code Execution when using locals - CVE-2024-54152
JSONPath Plus Remote Code Execution (RCE) Vulnerability - CVE-2024-21534
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417

Tags:: npm; angular-base64-upload

Anything's wrong? Let us know Last updated on October 11, 2024