Vulnerability CVE-2021-30140
Published: 2021-04-06

Description:
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.

See advisories in our WLB2 database:
Topic
Author
Date
Low
LiquidFiles 3.4.15 Cross Site Scripting
Rodolfo Tavares
22.05.2022

Type:

CWE-79

 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Liquidfiles -> Liquidfiles 

 References:
https://gist.github.com/rodnt/9f7d368fac38cafa7334598ec94fb167
https://liquidfiles.com/support.html
https://www.tempest.com.br
Copyright 2024, cxsecurity.com

 

Back to Top