First published: Thu May 07 2020(Updated: )
An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users (including administrators) from the database.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Serpico Project Serpico | <1.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.