Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tdmY2LTNmMmcteGZ4Zs4AA8Hb
endroid/qr-code-bundle File Disclosure via logo_path query parameter
Versions of endroid/qr-code-bundle prior to 3.4.2 are affected by a security vulnerability that allows disclosure of files through the logo_path query parameter. The vulnerability arises from the improper handling of non-image data as the logo, which could lead to unintended file disclosure.
Permalink: https://github.com/advisories/GHSA-mvf6-3f2g-xfxfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdmY2LTNmMmcteGZ4Zs4AA8Hb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
Identifiers: GHSA-mvf6-3f2g-xfxf
References:
- https://github.com/endroid/qr-code-bundle/commit/51928eaaa30e7db1fd3f1076744dcbc8f8cec8c8
- https://github.com/FriendsOfPHP/security-advisories/blob/master/endroid/qr-code-bundle/2019-12-22.yaml
- https://github.com/endroid/qr-code-bundle/releases/tag/3.4.2
- https://github.com/advisories/GHSA-mvf6-3f2g-xfxf
Blast Radius: 0.0
Affected Packages
packagist:endroid/qr-code-bundle
Dependent packages: 9Dependent repositories: 127
Downloads: 6,994,176 total
Affected Version Ranges: < 3.4.2
Fixed in: 3.4.2
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1
All unaffected versions: 3.4.2, 3.4.3, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 5.0.0, 5.0.1, 5.0.2, 6.0.0