Lucene search

MitreCVE-2019-14280

HistoryJul 26, 2019 - 4:15 a.m.

CVE-2019-14280

2019-07-2604:15:11

CWE-200

mitre

web.nvd.nist.gov

288

cve-2019-14280

craft

exif data

image security

privacy

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.02

Percentile

89.1%

JSON

In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn’t stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.

Affected configurations

Nvd

Node

craftcmscraft_cmsRange2.0.2524–2.7.10

craftcmscraft_cmsRange3.0.0–3.2.6

VendorProductVersionCPE
craftcmscraft_cms*cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
craftcms	craft_cms	*	cpe:2.3:a:craftcms:craft_cms::::::::

References

packetstormsecurity.com/files/154276/Craft-CMS-2.7.9-3.2.5-Information-Disclosure.html

github.com/craftcms/cms/blob/develop-v2/CHANGELOG-v2.md#2710---2019-07-24

github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.02

Percentile

89.1%

JSON

Related for CVE-2019-14280