Vulnerability Details : CVE-2020-26220
toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0.
Vulnerability category: Information leak
Products affected by CVE-2020-26220
- cpe:2.3:a:touchbase.ai_project:touchbase.ai:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26220
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26220
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:P/I:N/A:N |
6.8
|
2.9
|
NIST | |
|
3.5
|
LOW | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
2.1
|
1.4
|
NIST | |
|
3.5
|
LOW | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
2.1
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2020-26220
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-26220
-
https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h
Exif Geolocation Data not stripped · Advisory · puncsky/touchbase.ai · GitHubThird Party Advisory
-
https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f
Fixed bugs. by Tuisku-L · Pull Request #400 · puncsky/touchbase.ai · GitHubPatch;Third Party Advisory
Jump to