Closed
Description
In GitHub Security Advisory GHSA-qmfx-75ff-8mw6, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/ThomasLeister/prosody-filer | 1.0.1 | < 1.0.1 |
See doc/triage.md for instructions on how to triage this report.
package: github.com/ThomasLeister/prosody-filer
versions:
- introduced: v0.0.0
fixed: v1.0.1
description: "There's an security issue in prosody-filer versions **< 1.0.1** which
leads to unwanted directory listings of download directories. \n\nAn attacker
is able to list previous uploads of a certain user by shortening the URL and accessing
a URL subdirectors other than `/upload/` (or the corresponding user defined root
dir)\n\nVersion 1.0.1 and later fix this problem and allow only direct file access
if the full path is known. Directory listings are blocked entirely."
published: 2021-05-27T18:41:00Z
last_modified: 2021-05-27T18:41:00Z
ghsas:
- GHSA-qmfx-75ff-8mw6