Vulnerability Description
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liquidfiles | Liquidfiles | 3.4.15 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/167228/LiquidFiles-3.4.15-Cross-Site-ScriptExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2022/May/41ExploitMailing ListThird Party Advisory
- https://gist.github.com/rodnt/9f7d368fac38cafa7334598ec94fb167ExploitThird Party Advisory
- https://liquidfiles.com/support.htmlVendor Advisory
- https://www.tempest.com.brNot Applicable
- http://packetstormsecurity.com/files/167228/LiquidFiles-3.4.15-Cross-Site-ScriptExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2022/May/41ExploitMailing ListThird Party Advisory
- https://gist.github.com/rodnt/9f7d368fac38cafa7334598ec94fb167ExploitThird Party Advisory
- https://liquidfiles.com/support.htmlVendor Advisory
- https://www.tempest.com.brNot Applicable
FAQ
What is CVE-2021-30140?
CVE-2021-30140 is a vulnerability with a CVSS score of 5.4 (MEDIUM). LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript conten...
How severe is CVE-2021-30140?
CVE-2021-30140 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-30140?
Check the references section above for vendor advisories and patch information. Affected products include: Liquidfiles Liquidfiles.