Описание
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.
A flaw was found in Flare, a file sharing platform. A remote attacker could exploit this vulnerability due to improper access control in the thumbnail endpoint. This flaw allows an attacker to access thumbnails of password-protected files without providing the correct password, leading to unauthorized information disclosure.
Отчет
This MODERATE vulnerability in Flare allows unauthenticated remote attackers to access thumbnails of password-protected files. The thumbnail endpoint skips password verification while other endpoints enforce it, exposing image previews without authorization. Impact is limited to low confidentiality loss as only thumbnails are exposed, not full file contents.
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.
5.3 Medium
CVSS3