Lucene search

K

GoogleOSV:GHSA-MVF6-3F2G-XFXF

HistoryMay 15, 2024 - 9:05 p.m.

endroid/qr-code-bundle File Disclosure via logo_path query parameter

2024-05-1521:05:13

Google

osv.dev

4

endroid

qr-code-bundle

file disclosure

logo_path

query parameter

security vulnerability

versions

improper handling

non-image data

unintended file disclosure

software

AI Score

6.8

Confidence

Low

Versions of endroid/qr-code-bundle prior to 3.4.2 are affected by a security vulnerability that allows disclosure of files through the logo_path query parameter. The vulnerability arises from the improper handling of non-image data as the logo, which could lead to unintended file disclosure.

References

github.com/endroid/qr-code-bundle

github.com/endroid/qr-code-bundle/commit/51928eaaa30e7db1fd3f1076744dcbc8f8cec8c8

github.com/endroid/qr-code-bundle/releases/tag/3.4.2

github.com/FriendsOfPHP/security-advisories/blob/master/endroid/qr-code-bundle/2019-12-22.yaml

AI Score

6.8

Confidence

Low