First published: Fri Jul 26 2019(Updated: )
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Craftcms Craft Cms | >=2.0.2524<2.7.10 | |
Craftcms Craft Cms | >=3.0.0<3.2.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Craft CMS vulnerability is CVE-2019-14280.
The severity of CVE-2019-14280 is medium with a CVSS score of 5.3.
Craft CMS versions before 2.7.10 and 3 before 3.2.6 are affected by CVE-2019-14280.
CVE-2019-14280 could potentially expose personal/geolocation data to the public.
To fix CVE-2019-14280, you should update Craft CMS to version 2.7.10 for Craft 2 or version 3.2.6 for Craft 3.