CVE-2020-29072

Name of the Vulnerable Software and Affected Versions LiquidFiles versions prior to 3.3.19

Description A Cross-Site Script Inclusion issue was found, which is a client-side attack that requires user interaction, such as opening a link. Successful exploitation could lead to encrypted e-mail content leakage via "messages/sent?format=js" and "popup?format=js" API endpoints, using variables such as format to potentially inject malicious scripts.

Recommendations For versions prior to 3.3.19, update to version 3.3.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "messages/sent?format=js" and "popup?format=js" API endpoints until a patch is available. Avoid using the format variable in the affected API endpoints until the issue is resolved.