GHSA-mvf6-3f2g-xfxf

Source

https://github.com/advisories/GHSA-mvf6-3f2g-xfxf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-mvf6-3f2g-xfxf/GHSA-mvf6-3f2g-xfxf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mvf6-3f2g-xfxf

Published

2024-05-15T21:05:13Z

Modified

2024-11-29T05:37:08.887462Z

Summary

endroid/qr-code-bundle File Disclosure via logo_path query parameter

Details

Versions of endroid/qr-code-bundle prior to 3.4.2 are affected by a security vulnerability that allows disclosure of files through the logo_path query parameter. The vulnerability arises from the improper handling of non-image data as the logo, which could lead to unintended file disclosure.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T21:05:13Z"
}

References

Affected packages

Packagist / endroid/qr-code-bundle

Package

Name: endroid/qr-code-bundle
Purl: pkg:composer/endroid/qr-code-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.2

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.4.0

3.4.1