Description
Firepad through 1.5.11 allows remote attackers, who have knowledge of a pad ID, to retrieve both the current text of a document and all content that has previously been pasted into the document. NOTE: in several similar products, this is the intentional behavior for anyone who knows the full document ID and corresponding URL.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.5.11
References
- GHSA-4fh7-m2wx-6wfm
- firebase.blog
- medium.com
- CVE-2024-51210
- CWE-125
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Strapi Allows Unauthorized Access to Private Fields via parms.lookup - CVE-2024-56143
- @lobehub/chat vulnerable to unauthorized access to plugins - CVE-2024-24566
- Vditor allows Cross-site Scripting via an attribute of an `A` element - CVE-2024-34449
- Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to - CVE-2024-39691
- Tags:
- npm
- firepad
Anything's wrong? Let us know Last updated on December 05, 2024