Cloudreve
Monthly
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. No public exploit identified at time of analysis, but the root cause is confirmed by the vendor's fix commit and advisory GHSA-vgj4-345g-jcf8, with the issue resolved in 4.16.1.
Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. No public exploit is identified at time of analysis and it is not listed in CISA KEV, though the flaw is straightforward to trigger once a low-privileged WebDAV credential is held.
Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated users holding the remote download permission to direct the application server to fetch arbitrary internal URLs via POST /api/v4/workflow/download. Because the downloader accepted user-supplied URLs without validating loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, a low-privileged user could exfiltrate responses from internal services - including cloud instance metadata endpoints, internal APIs, or services bound to 127.0.0.1 - by reading the downloaded content from their own Cloudreve file storage. No public exploit has been identified at time of analysis; vendor-released patch 4.16.1 is available.
Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. No public exploit identified at time of analysis, but the root cause is confirmed by the vendor's fix commit and advisory GHSA-vgj4-345g-jcf8, with the issue resolved in 4.16.1.
Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. No public exploit is identified at time of analysis and it is not listed in CISA KEV, though the flaw is straightforward to trigger once a low-privileged WebDAV credential is held.
Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated users holding the remote download permission to direct the application server to fetch arbitrary internal URLs via POST /api/v4/workflow/download. Because the downloader accepted user-supplied URLs without validating loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, a low-privileged user could exfiltrate responses from internal services - including cloud instance metadata endpoints, internal APIs, or services bound to 127.0.0.1 - by reading the downloaded content from their own Cloudreve file storage. No public exploit has been identified at time of analysis; vendor-released patch 4.16.1 is available.
Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.