An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving sensitive information about encrypted e-mails, depending on the permissions of the target user.
References
Link | Resource |
---|---|
https://lean0x2f.github.io/liquidfiles_advisory | Exploit Third Party Advisory |
https://man.liquidfiles.com/release_notes/version_3-3-x.html | Release Notes Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-11-25T02:48:04
Updated: 2020-11-25T02:48:04
Reserved: 2020-11-25T00:00:00
Link: CVE-2020-29071
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-11-25T03:15:11.033
Modified: 2020-12-02T16:30:46.120
Link: CVE-2020-29071
JSON object: View
Redhat Information
No data.
CWE