Описание
Incorrect Authorization in @uppy/companion
@uppy/companion prior to version 3.3.1 is vulnerable to incorrect authorization. A user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name.
Пакеты
Наименование
@uppy/companion
npm
Затронутые версииВерсия исправления
< 3.3.1
3.3.1
Связанные уязвимости
CVSS3: 6.5
nvd
почти 4 года назад
Server-Side Request Forgery (SSRF) in GitHub repository transloadit/uppy prior to 3.3.1.