CVE-2023-40020 — CRITICAL (9.9)

Q: How severe is CVE-2023-40020?

CVE-2023-40020 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2023-40020?

Check the references section above for vendor advisories and patch information. Affected products include: Troplo Privateuploader.

Vulnerability Description

PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions `app/routes/v3/admin.controller.ts` did not correctly verify whether the user was an administrator (High Level) or moderator (Low Level) causing the request to continue processing. The response would be a 403 with ADMIN_ONLY, however, next() would call leading to any updates/changes in the route to process. This issue has been addressed in version 3.2.49. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Troplo	Privateuploader	< 3.2.49

Related Weaknesses (CWE)

CWE-287

References

FAQ

What is CVE-2023-40020?

CVE-2023-40020 is a vulnerability with a CVSS score of 9.9 (CRITICAL). PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions `app/routes/v3/admin.controller.ts` did not correctly verify whether the user was an administ...

How severe is CVE-2023-40020?

CVE-2023-40020 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-40020?

Check the references section above for vendor advisories and patch information. Affected products include: Troplo Privateuploader.