CVE-2024-38353

Name of the Vulnerable Software and Affected Versions CodiMD versions prior to 2.5.4

Description CodiMD is missing authentication and access control, allowing an unauthenticated attacker to gain unauthorized access to image data uploaded to CodiMD. The issue arises because CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorized access to uploaded image data. The insecure random filename generation in the underlying Formidable library increases the likelihood of this issue being exploited, as it allows an attacker to determine the filenames for previously uploaded images.

Recommendations For versions prior to 2.5.4, update to version 2.5.4 to resolve the issue. As a temporary workaround, consider restricting access to the image upload feature to minimize the risk of exploitation. Avoid using the vulnerable image upload functionality until the issue is resolved.