Ibexa Kernel 的扩展名被列入黑名单的文件仍然可以保存到草稿中

CVE编号

N/A

利用情况

暂无

补丁情况

N/A

披露时间

2024-03-21

漏洞描述

File validation can be configured to reject certain files by file type. When this happens, validation fails, and the content can't be published. However, the file can be saved when saving the content draft. This means unwanted files can be present in storage, even if they are not easily accessible due to the content not being published. The fix ensures these unwanted file types are never stored. An attacker would need to have existing access to create content with a file field type to exploit this.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/advisories/GHSA-9j39-4686-m3c4

CVSS3评分 N/A

• 攻击路径 N/A
• 攻击复杂度 N/A
• 权限要求 N/A
• 影响范围 N/A
• 用户交互 N/A
• 可用性 N/A
• 保密性 N/A
• 完整性 N/A

N/A

CWE-ID	漏洞类型
CWE-434	危险类型文件的不加限制上传

Exp相关链接

- avd.aliyun.com