CVE-2020-26220 - OpenCVE

toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Touchbase.ai Project	Touchbase.ai

Configuration 1 [-]

cpe:2.3:a:touchbase.ai_project:touchbase.ai:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f
https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-11-11T22:15:14

Updated: 2024-08-04T15:49:07.176Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26220

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-11T23:15:11.477

Modified: 2020-11-17T17:21:02.567

Link: CVE-2020-26220

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "touchbase.ai", "vendor": "puncsky", "versions": [{"status": "affected", "version": "< 2.0"}]}], "descriptions": [{"lang": "en", "value": "toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-11T22:15:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}], "source": {"advisory": "GHSA-hh6j-j73p-cp3h", "discovery": "UNKNOWN"}, "title": "Information exposure in touchbase.ai", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26220", "STATE": "PUBLIC", "TITLE": "Information exposure in touchbase.ai"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "touchbase.ai", "version": {"version_data": [{"version_value": "< 2.0"}]}}]}, "vendor_name": "puncsky"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h", "refsource": "CONFIRM", "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}, {"name": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f", "refsource": "MISC", "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}]}, "source": {"advisory": "GHSA-hh6j-j73p-cp3h", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:07.176Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26220", "datePublished": "2020-11-11T22:15:14", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:49:07.176Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:touchbase.ai_project:touchbase.ai:*:*:*:*:*:*:*:*", "matchCriteriaId": "30CC5E42-0D4C-45BD-B3FA-072DDE3FBA5D", "versionEndExcluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0."}, {"lang": "es", "value": "toucbase.ai anterior a versi\u00f3n 2.0 filtra informaci\u00f3n al no eliminar los datos exif de las im\u00e1genes. Cualquiera con acceso a la imagen cargada de otros usuarios podr\u00eda obtener su geolocalizaci\u00f3n, dispositivo y datos de versi\u00f3n de software, etc. (Si est\u00e1 presente). El problema es corregido en la versi\u00f3n 2.0"}], "id": "CVE-2020-26220", "lastModified": "2020-11-17T17:21:02.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-11-11T23:15:11.477", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}