{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T23:02:53.122","vulnerabilities":[{"cve":{"id":"CVE-2022-31041","sourceIdentifier":"security-advisories@github.com","published":"2022-06-13T13:15:13.667","lastModified":"2024-11-21T07:03:46.203","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users (e.g. only PDF / Excel / ...). The input validation of uploaded files is insufficient in versions prior to 1.0.9 and 1.1.1. Users could alter or strip file extensions to bypass this validation. This results in files being uploaded to the server that are of a different file type than indicated by the file name extension. These files may be downloaded (manually or automatically) by staff and/or other applications for further processing. Malicious files can therefore find their way into internal/trusted networks. Versions 1.0.9 and 1.1.1 contain patches for this issue. As a workaround, an API gateway or intrusion detection solution in front of open-forms may be able to scan for and block malicious content before it reaches the Open Forms application."},{"lang":"es","value":"Open Forms es una aplicación para crear y publicar formularios inteligentes. Open Forms admite la carga de archivos como uno de los tipos de campo del formulario. Estos campos pueden configurarse para que los usuarios finales sólo puedan cargar determinadas extensiones de archivo (por ejemplo, sólo PDF / Excel / ...). La comprobación de entrada de los archivos subidos es insuficiente en las versiones anteriores a 1.0.9 y 1.1.1. Los usuarios podían alterar o eliminar las extensiones de los archivos para omitir esta comprobación. Esto resulta en que sean subidos al servidor archivos que son de un tipo de archivo diferente al indicado por la extensión del nombre del archivo. Estos archivos pueden ser descargados (manual o automáticamente) por el personal y/o otras aplicaciones para su posterior procesamiento. Por lo tanto, los archivos maliciosos pueden encontrar su camino en las redes internas/confiables. Las versiones 1.0.9 y 1.1.1 contienen parches para este problema. Como mitigación, una puerta de enlace de la API o una solución de detección de intrusos frente a Open Forms puede ser capaz de escanear y bloquear el contenido malicioso antes de que llegue a la aplicación Open Forms"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:N","baseScore":4.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-434"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.9","matchCriteriaId":"CC6562EA-A0C8-4C37-B556-E83242D34914"},{"vulnerable":true,"criteria":"cpe:2.3:a:maykinmedia:open_forms:1.1.0:-:*:*:*:*:*:*","matchCriteriaId":"79EB5A82-12EA-4CF2-A9F3-3D36908D15AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:maykinmedia:open_forms:1.1.0:rc0:*:*:*:*:*:*","matchCriteriaId":"3081AA3A-A8D5-4873-A97F-B9CB59B4F4D1"},{"vulnerable":true,"criteria":"cpe:2.3:a:maykinmedia:open_forms:1.1.0:rc1:*:*:*:*:*:*","matchCriteriaId":"EB1F9D1E-B00F-4AEF-ACE6-F8FCDE75B3B6"}]}]}],"references":[{"url":"https://github.com/open-formulieren/open-forms/commit/0978a29e821a7228c5d46c0527c3e925eb91b071","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/open-formulieren/open-forms/security/advisories/GHSA-h85r-xv4w-cg8g","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/open-formulieren/open-forms/commit/0978a29e821a7228c5d46c0527c3e925eb91b071","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/open-formulieren/open-forms/security/advisories/GHSA-h85r-xv4w-cg8g","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}