QwikSec

Security Database

CVE

CWE

Training

CVE-2021-30140

Published: Apr 6, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R

Attack Complexity

Low

Attack Vector

Network

Availability

None

Confidentiality

Low

Integrity

Low

Privileges Required

Low

Scope

Changed

User Interaction

Required

References

https://www.tempest.com.br

x_refsource_MISC

https://liquidfiles.com/support.html

x_refsource_MISC

https://gist.github.com/rodnt/9f7d368fac38cafa7334598ec94fb167

x_refsource_MISC

20220518 LiquidFiles - 3.4.15 - Stored XSS - CVE-2021-30140

mailing-list

x_refsource_FULLDISC

http://packetstormsecurity.com/files/167228/LiquidFiles-3.4.15-Cross-Site-Scripting.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.