5 matches found
PYSEC-2026-1494 Kinto Attachment's attachments can be replaced on read-only records
Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...
GHSA-HVP4-VRV2-8WRQ Kinto Attachment's attachments can be replaced on read-only records
Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...
kinto-dist (>=0.7.0 <=18.0.2) potentially affected by CVE-2024-1314 via kinto-attachment (>=0.8.0 <=6.0.2)
kinto-attachment PYPI version =0.8.0, =0.7.0, =18.0.2 Source cves: CVE-2024-1314 Source advisory: OSV:GHSA-HVP4-VRV2-8WRQ...
Kinto Attachment's attachments can be replaced on read-only records
Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...
PT-2024-17934
Name of the Vulnerable Software and Affected Versions kinto-attachment versions prior to 6.4.0 Description The issue allows an attachment file of an existing record to be replaced if a user has read permission on one of the parent collections or buckets. Furthermore, if the read permission is...