{"id":"CVE-2021-23562","details":"This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.","aliases":["GHSA-rp2c-jrgp-cvr8"],"modified":"2026-04-10T04:30:27.077495Z","published":"2021-12-03T20:15:07.463Z","related":["SNYK-JAVA-ORGWEBJARS-2306665","SNYK-JAVA-ORGWEBJARSBOWER-2306663","SNYK-JAVA-ORGWEBJARSBOWERGITHUBMOXIECODE-2306664","SNYK-JS-PLUPLOAD-1583909"],"references":[{"type":"WEB","url":"https://github.com/moxiecode/plupload/blob/master/js/jquery.plupload.queue/jquery.plupload.queue.js%23L226"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMOXIECODE-2306664"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JS-PLUPLOAD-1583909"},{"type":"FIX","url":"https://github.com/moxiecode/plupload/commit/d12175d4b5fa799b994ee1bb17bfbeec55b386fb"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2306665"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2306663"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moxiecode/plupload","events":[{"introduced":"0"},{"fixed":"d12175d4b5fa799b994ee1bb17bfbeec55b386fb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.3.9"}]}}],"versions":["1.0","1.1","1.1.1","1.2","1.2.1","1.2.2","1.2.2.1","1.2.3","1.4.0","1.4.1","1.4.2","1.4.3.2","1.5.1","1.5.3","1.5.4","v2.0.0","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.2.1","v2.3.1","v2.3.4","v2.3.6","v2.3.7","v2.3.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23562.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}