Stored Cross-Site Scripting in LiquidFiles 3.4.15
CVE-2021-30140

5.4MEDIUM

Key Information:

Vendor

Liquidfiles

Status
Liquidfiles
Vendor
CVE Published:
6 April 2021

What is CVE-2021-30140?

LiquidFiles version 3.4.15 is susceptible to a stored cross-site scripting (XSS) vulnerability due to its email functionality. When users send files via email to an administrator, if the file has no extension and incorporates malicious HTML or JavaScript content, such as an SVG with embedded HTML, the potentially harmful payload executes when clicked. This vulnerability was addressed in version 3.5, highlighting the importance of upgrading to safeguard against such attacks.

References

https://www.tempest.com.br
x_refsource_MISC
https://liquidfiles.com/support.html
x_refsource_MISC
https://gist.github.com/rodnt/9f7d368fac38cafa7334598ec94...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.