CVE-2020-26220
published 2020-11-11CVE-2020-26220: toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain…
PriorityP413low3.5CVSS 3.1
AVNACLPRLUIRSUCLINAN
EPSS
0.74%
50.1th percentile
toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| puncsky | touchbase.ai | < 2.0 | 2.0 |
| touchbase.ai_project | touchbase.ai | < 2.0 | 2.0 |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Exposure of Private Personal Information to an Unauthorized Actor
mitre_cwe
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Modes of Introduction:
Phase: Architecture and Design
Note: OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Phase: Implementation
Phase: Operation
Common Consequences:
Scope: Confidentiality. Impact: Read Application Data.
Detection Methods:
Architecture or Design Review: Private personal data can enter a program in a variety of ways: Directly from the user in the form of a password or
CWE
Improper Removal of Sensitive Information Before Storage or Transfer
mitre_cwe
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer
CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. For example, a product for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or,
https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196fhttps://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3hhttps://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196fhttps://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h
2020-11-11
Published