Lucene search
K

4 matches found

Veracode
Veracode
added 2024/10/24 9:16 a.m.11 views

Directory Traversal

@vendure/asset-server-plugin is vulnerable to Directory Traversal. The vulnerability is due to improper validation in Vendure's asset server plugin, which allows an attacker to craft requests that traverse the server file system, retrieving arbitrary files including sensitive data and crashing th...

9.1CVSS6.6AI score0.59798EPSS
Exploits1References5Affected Software1
vulnersOsv
vulnersOsv
added 2024/10/15 6:0 p.m.6 views

@artcoded/gcp-asset-server-plugin (>=1.0.1 <=1.0.4), @grupo-loja/vendure-banner-plugin (=1.0.0) +54 more potentially affected by CVE-2024-48914 via @vendure/asset-server-plugin (>=0.12.5 <=2.2.7)

@vendure/asset-server-plugin NPM version =0.12.5, =1.0.1, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.1.0, =2.0.0, =2.0.1, =2.0.0, =2.0.0, =2.0.0, =2.2.4 and more Source cves: CVE-2024-48914 Source advisory: OSV:GHSA-R9MQ-3C9R-FMJQ...

9.1CVSS7.2AI score0.59798EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2024/10/15 6:0 p.m.29 views

Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy

Description Path traversal This vulnerability allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the...

9.1CVSS6.8AI score0.59798EPSS
Exploits1References6Affected Software1
CVE
CVE
added 2024/10/15 4:8 p.m.315 views

CVE-2024-48914

Summary (CVE-2024-48914): Vendure’s asset server plugin allows an attacker to traverse the server filesystem and read arbitrary files, including configs and environment data, due to using the decoded request path directly in path.join (no normalization). A second vector in the same code path can ...

9.1CVSS9AI score0.59798EPSS
In wildExploits1References4
Rows per page
Query Builder