Description
Firepad through 1.5.11 allows remote attackers, who have knowledge of a pad ID, to retrieve both the current text of a document and all content that has previously been pasted into the document. NOTE: in several similar products, this is the intentional behavior for anyone who knows the full document ID and corresponding URL.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.5.11
References
- GHSA-4fh7-m2wx-6wfm
- firebase.blog
- medium.com
- CVE-2024-51210
- CWE-125
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- tarteaucitron Cross-site Scripting (XSS) - CVE-2025-1467
- uPlot Prototype Pollution vulnerability - CVE-2024-21489
- FUXA local file inclusion vulnerability - CVE-2023-31718
- FUXA vulnerable to Local File Inclusion - CVE-2023-31716
- Tags:
- npm
- firepad
Anything's wrong? Let us know Last updated on December 05, 2024