Cross-Site Scripting Vulnerability in LiquidFiles by LiquidFiles
CVE-2020-29071

9CRITICAL

Key Information:

Vendor

Liquidfiles

Status
Liquidfiles
Vendor
CVE Published:
25 November 2020

What is CVE-2020-29071?

An XSS vulnerability exists within the Shares feature of LiquidFiles prior to version 3.3.19. This issue stems from the improper handling of HTML files uploaded as attachments. When users access attachments through the '-htmlview' URL, untrusted content may be executed within a web browser context. This could potentially allow an attacker to execute arbitrary commands on the server or extract sensitive information related to encrypted emails, depending on the user’s permissions. Addressing this vulnerability is essential to maintain the integrity and security of user data shared through LiquidFiles.

References

https://lean0x2f.github.io/liquidfiles_advisory
x_refsource_MISC
https://man.liquidfiles.com/release_notes/version_3-3-x.html
x_refsource_MISC

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.