CVE-2020-26220 - Vulnerability Details - OpenCVE

Description

toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0.

Published: 2020-11-11

Score: 3.5 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

puncsky

touchbase.ai

affected

Version	Status	Constraints
`< 2.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:touchbase.ai_project:touchbase.ai:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2020-18839	toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00203.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f
https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h

History

No history.

Subscriptions

Touchbase.ai Project Touchbase.ai

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-11-11T22:15:14.000Z

Updated: 2024-08-04T15:49:07.176Z

Reserved: 2020-10-01T00:00:00.000Z

Link: CVE-2020-26220

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-11-11T23:15:11.477

Modified: 2024-11-21T05:19:34.077

Link: CVE-2020-26220

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-200

{"containers": {"cna": {"affected": [{"product": "touchbase.ai", "vendor": "puncsky", "versions": [{"status": "affected", "version": "< 2.0"}]}], "descriptions": [{"lang": "en", "value": "toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-11T22:15:14.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}], "source": {"advisory": "GHSA-hh6j-j73p-cp3h", "discovery": "UNKNOWN"}, "title": "Information exposure in touchbase.ai", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26220", "STATE": "PUBLIC", "TITLE": "Information exposure in touchbase.ai"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "touchbase.ai", "version": {"version_data": [{"version_value": "< 2.0"}]}}]}, "vendor_name": "puncsky"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h", "refsource": "CONFIRM", "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}, {"name": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f", "refsource": "MISC", "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}]}, "source": {"advisory": "GHSA-hh6j-j73p-cp3h", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:07.176Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26220", "datePublished": "2020-11-11T22:15:14.000Z", "dateReserved": "2020-10-01T00:00:00.000Z", "dateUpdated": "2024-08-04T15:49:07.176Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:touchbase.ai_project:touchbase.ai:*:*:*:*:*:*:*:*", "matchCriteriaId": "30CC5E42-0D4C-45BD-B3FA-072DDE3FBA5D", "versionEndExcluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0."}, {"lang": "es", "value": "toucbase.ai anterior a versi\u00f3n 2.0 filtra informaci\u00f3n al no eliminar los datos exif de las im\u00e1genes. Cualquiera con acceso a la imagen cargada de otros usuarios podr\u00eda obtener su geolocalizaci\u00f3n, dispositivo y datos de versi\u00f3n de software, etc. (Si est\u00e1 presente). El problema es corregido en la versi\u00f3n 2.0"}], "id": "CVE-2020-26220", "lastModified": "2024-11-21T05:19:34.077", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-11T23:15:11.477", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}