toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0.
References
Link | Resource |
---|---|
https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f | Patch Third Party Advisory |
https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-11-11T22:15:14
Updated: 2020-11-11T22:15:14
Reserved: 2020-10-01T00:00:00
Link: CVE-2020-26220
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-11-11T23:15:11.477
Modified: 2020-11-17T17:21:02.567
Link: CVE-2020-26220
JSON object: View
Redhat Information
No data.
CWE