Key Information Summary Vulnerability Overview Vulnerability Name: Instant Developer RD3 - Arbitrary File Upload (CVE-2022-39983) CVSS Score: 9.8 Severity: Critical Technical Summary Asset: Instant Developer RD3 < 22.5 R23 Vulnerability Type: Arbitrary File Upload OWASP ASVS Score: L0.x GVSSv6.1 Base Score: 8.8 CWE/SVG Base Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H OWASP Top10 2021: A04 Insecure Design Vulnerability Description Location: control in the file Impact: Allows attackers to upload arbitrary files, including malicious code and reverse shells Evidence: - Evidence 1: Code snippet from the file related to the vulnerability - Evidence 2: Example command demonstrating successful reverse shell upload - Evidence 3: Terminal screenshot showing interactive reverse shell obtained on the target server Remediation Recommendations Action: Upgrade to Instant Developer framework version 22.5 R23 or later References Includes multiple reference links, such as vulnerability details, OWASP guidelines, etc. Disclosure Timeline Discovery Date: July 25, 2022 Vendor Notification: August 24, 2022 Vendor Confirmation: August 26, 2022 CVE ID Published: January 16, 2023 Vendor Considerations Includes detailed vendor-specific considerations and remediation recommendations for the vulnerability