CVE-2023-1975

Name of the Vulnerable Software and Affected Versions answerdev/answer versions prior to 1.0.8

Description The issue concerns the insertion of sensitive information into sent data. Specifically, answerdev/answer, an open-source knowledge-based community software, does not strip EXIF geolocation data from user-uploaded logos prior to version 1.0.8. This allows anyone to obtain sensitive information, including a user's device ID, geolocation, system information, and system version.

Recommendations For versions prior to 1.0.8, update to version 1.0.8 or later to resolve the issue. As a temporary workaround, consider disabling the upload of logos or restricting access to user-uploaded content until the update is applied.