uppy is vulnerable to server-side request forgery (SSRF). The fix for CVE-2020-8135 is adequate and a bypass of the host’s IP address against a blacklist exists, allowing a remote attacker to perform HTTP requests in the context of the server.
CPE | Name | Operator | Version |
---|---|---|---|
uppy | le | 1.13.1 | |
uppy | le | 1.16.0 | |
uppy | le | 1.7.0 | |
@uppy/companion | le | 2.0.0-alpha.4 | |
@uppy/companion | le | 1.13.1 | |
uppy | le | 1.9.3 | |
uppy | le | [email protected] |