PT-2024-29334 · Filestash · Filestash

Bingyu Li

Published

2024-07-31

Updated

2025-03-18

CVE-2024-41256

CVSS v4.0

8.5

High

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions filestash version 0.4

Description The issue is related to the ShareProofVerifier function in filestash, which skips the TLS certificate verification process when sending out email verification codes. This could allow attackers to access sensitive data via a man-in-the-middle attack.

Recommendations For filestash version 0.4, consider disabling the ShareProofVerifier function until a patch is available to enforce TLS certificate verification. Restrict access to sensitive data to minimize the risk of exploitation.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2024-41256

GHSA-MPVX-WHPP-99XJ

GO-2024-3035

Affected Products

Filestash

PT-2024-29334 · Filestash · Filestash

CVE-2024-41256

Weakness Enumeration

Related Identifiers

Affected Products

References · 13