Insecure HTML Rendering in LiquidFiles Shares Feature

Insecure HTML Rendering in LiquidFiles Shares Feature

CVE-2020-29071 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving sensitive information about encrypted e-mails, depending on the permissions of the target user.

Learn more about our Cis Benchmark Audit For Server Software.