Medium

openui

Unauthenticated File Upload Leading to Multiple Vulnerabilities

The latest version (commit hash: c945bb859979659add5f490a874140ad17c56a5d) of the software allows unauthenticated file uploads to an AWS S3 bucket, leading to information disclosure, stored XSS, and denial of service. This issue has not yet been patched.

Available publicly on Dec 17 2024

6.1

CVE:

CVE-2024-10649

CWE:

306:Missing Authentication for Critical Function

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Credit:

winters0x64
AssessDetect

Premium

Remediate
Remediation Steps
  1. Implement authentication and authorization checks on the upload and download endpoints to ensure only authorized users can access these functionalities.
  2. Validate and sanitize all inputs to prevent malicious content from being uploaded.
  3. Implement rate limiting to prevent abuse of the upload functionality.
  4. Regularly monitor and audit the contents of the S3 bucket to detect and remove any malicious files.
  5. Update the software to the latest version once a patch is available.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.