CVE-2019-14280

Published: Jul 26, 2019Modified: Nov 21, 2024

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.

Affected (2)

Products: Craftcms: Craft Cms

Craftcms

1 product

Craft Cms

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Craftcms Craft Cms	From 2.0.2524 to 2.7.10
Craftcms Craft Cms	From 3.0.0 to 3.2.6

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

http://packetstormsecurity.com/files/154276/Craft-CMS-2.7.9-3.2.5-Information-Disclosure.html

Source: cve@mitre.org

https://github.com/craftcms/cms/blob/develop-v2/CHANGELOG-v2.md#2710---2019-07-24

Source: cve@mitre.org

Release NotesThird Party Advisory

https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23

Source: cve@mitre.org

Release NotesThird Party Advisory

http://packetstormsecurity.com/files/154276/Craft-CMS-2.7.9-3.2.5-Information-Disclosure.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/craftcms/cms/blob/develop-v2/CHANGELOG-v2.md#2710---2019-07-24

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

Timeline

No history available yet.