CVE-2019-14280

Опубликовано: 26 июл. 2019

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Средний

Описание

In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.

Ссылки

http://packetstormsecurity.com/files/154276/Craft-CMS-2.7.9-3.2.5-Information-Disclosure.html
https://github.com/craftcms/cms/blob/develop-v2/CHANGELOG-v2.md#2710---2019-07-24
Release Notes
Third Party Advisory
https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23
Release Notes
Third Party Advisory
http://packetstormsecurity.com/files/154276/Craft-CMS-2.7.9-3.2.5-Information-Disclosure.html
https://github.com/craftcms/cms/blob/develop-v2/CHANGELOG-v2.md#2710---2019-07-24
Release Notes
Third Party Advisory
https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

Версия от 2.0.2524 (включая) до 2.7.10 (исключая)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

Версия от 3.0.0 (включая) до 3.2.6 (исключая)

EPSS

Процентиль: 95%

0.15895

Средний

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-200

Связанные уязвимости

GHSA-4p62-chh9-5q2v