CVE-2024-23826

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H

Name of the Vulnerable Software and Affected Versions spbu se site versions prior to 2024.01.29

Description The issue arises when an authenticated user uploads an avatar image with a large Unicode filename, leading to a server-side denial of service under Windows. This is due to the lack of limitation on the filename length and the costly use of Unicode normalization with the form NFKD on Windows OS.

Recommendations For versions prior to 2024.01.29, update to the 2024.01.29 release to resolve the issue. As a temporary workaround, consider restricting the length of filenames for avatar uploads to prevent potential denial of service attacks.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2024-23826

GHSA-5VFC-V7HG-PVWM

Affected Products

Windows

CVE-2024-23826

Weakness Enumeration

Related Identifiers

Affected Products

References · 6