Total
5 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-4393 | 1 Liquidfiles | 1 Liquidfiles | 2024-11-21 | N/A | 5.4 MEDIUM |
HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization. | |||||
CVE-2021-43397 | 1 Liquidfiles | 1 Liquidfiles | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sysadmin. | |||||
CVE-2021-30140 | 1 Liquidfiles | 1 Liquidfiles | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5. | |||||
CVE-2020-29072 | 1 Liquidfiles | 1 Liquidfiles | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js. | |||||
CVE-2020-29071 | 1 Liquidfiles | 1 Liquidfiles | 2024-11-21 | 8.5 HIGH | 9.0 CRITICAL |
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving sensitive information about encrypted e-mails, depending on the permissions of the target user. |