CVE-2024-30265

Name of the Vulnerable Software and Affected Versions Collabora Online voilà dashboard versions prior to 0.2.17 Collabora Online voilà dashboard versions prior to 0.3.8 Collabora Online voilà dashboard versions prior to 0.4.4 Collabora Online voilà dashboard versions prior to 0.5.6

Description The issue allows local file inclusion, enabling the download of any file on the filesystem that is readable by the user running the voilà dashboard server by someone with network access to the server. Whether authentication is required depends on the deployment of voilà. Multiple voilà instances online are impacted.

Recommendations For versions prior to 0.2.17, update to version 0.2.17 or later. For versions prior to 0.3.8, update to version 0.3.8 or later. For versions prior to 0.4.4, update to version 0.4.4 or later. For versions prior to 0.5.6, update to version 0.5.6 or later. As a temporary workaround, consider restricting access to the "/static" route until a patch is available. Restrict access to sensitive files on the filesystem to minimize the risk of exploitation.