CVE-2024-10668

CWE-434Unrestricted File Upload3 documents3 sources
Severity
5.9MEDIUM
EPSS
0.0%
top 96.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google NearbyGoogle Quick Share
Timeline
PublishedNov 7

Description

There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. The root cause of the vulnerability lies in the fact that when a Payload Transfer frame of type FILE is sent to Quick Share, the file that is contained in this frame is written to disk in the Downloads folder. Quickshare normally deletes unkown files, however an attacker can send two Payload transfer frames of type FILE and the same payload ID. The deletion logic will only delete the f

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

Affected Packages2 packages

NVDgoogle/quick_share< 1.0.2002.2
CVEListV5google/nearby< 5d8b9156e0c339d82d3dab0849187e8819ad92c0+1

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-j9g6-vvr6-x5wm: There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim2024-11-07
CVEList
Auth Bypass in Quickshare2024-11-07
CVE-2024-10668 (MEDIUM CVSS 5.9) | There exists an auth bypass in Goog | cvebase.io