RSS   Vulnerabilities for 'Liquidfiles'   RSS

2021-11-11
 
CVE-2021-43397

CWE-269
 

 
LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sysadmin.

 
2021-04-06
 
CVE-2021-30140

CWE-79
 

 
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.

 
2020-11-25
 
CVE-2020-29072

CWE-79
 

 
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.

 
 
CVE-2020-29071

CWE-79
 

 
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving sensitive information about encrypted e-mails, depending on the permissions of the target user.

 


Copyright 2024, cxsecurity.com

 

Back to Top