9 matches found
CVE-2024-53276 GHSL-2024-092: Open CORS policy in home-gallery
Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, an open CORS policy in app.js may allow an attacker to view the images of home-gallery when it is using the default settings. The following express middleware allows any website ...
Edu-Sharing Arbitrary File Upload
SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Arbitrary File Upload product: edu-sharing metaVentis GmbH vulnerable versions: =8.0.8-RC2, =8.1.4-RC0, =9.0.0-RC19 CVE number: CVE-2024-28147 impact: high homepage:...
CVE-2024-28147
An authenticated user can upload arbitrary files in the upload function for collection preview images. An attacker may upload an HTML file that includes malicious JavaScript code which will be executed if a user visits the direct URL of the collection preview image Stored Cross Site Scripting. It...
CVE-2024-28147
Edu-sharing (pre-9.0.0-RC19) is affected by CVE-2024-28147: an authenticated user can upload arbitrary files via the collection preview image upload, enabling Stored XSS through HTML/JavaScript execution when users access the direct image URL and potential DoS via SVG with nested XML entities. Af...
PT-2024-4409 · Unknown · Edu-Sharing
Name of the Vulnerable Software and Affected Versions: edu-sharing versions 8.0.8-RC2, 8.1.4-RC0, 9.0.0-RC19 can be simplified to: edu-sharing versions prior to 8.0.8-RC2, 8.1.4-RC0, and 9.0.0-RC19 However, given the instruction to consolidate ranges into the most concise form and considering the...
Code injection
Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents first page can be downloaded without being watermarked. Versions 24.0.7 and...
CVE-2022-41970 Nextcloud Server's disabled download shares still allow download through preview images
Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents first page can be downloaded without being watermarked. Versions 24.0.7 and...
Nextcloud 安全漏洞
Nextcloud is a suite of open source, self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A security vulnerability exists in Nextcloud Server versions prior to 24.0.7, 25.0.1 and prior to 25.0.1, which stems from a disabled download share that...
Nextcloud: Disabled download shares still allow download through preview images
Summary: Steps To Reproduce: 1. Share a folder and disable the "Allow download" permission 2. Now as the recipient of the file you can still download the preview of the file This is an issue for images but also for shared documents where viewing them in Collabora would present them watermarked bu...