Add CVE-2020-26220 for GHSA-hh6j-j73p-cp3h

2025-08-04 08:44:25 +00:00 · 2020-11-11 19:12:56 -03:00 · 2020-11-11 19:12:56 -03:00 · 10195c12e1
commit 10195c12e1
parent e109200cef
1 changed files with 76 additions and 6 deletions
--- a/2020/26xxx/CVE-2020-26220.json
+++ b/2020/26xxx/CVE-2020-26220.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-26220",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Information exposure in touchbase.ai"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "touchbase.ai",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 2.0"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "puncsky"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 3.5,
+            "baseSeverity": "LOW",
+            "confidentialityImpact": "LOW",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "LOW",
+            "scope": "UNCHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h"
+            },
+            {
+                "name": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f",
+                "refsource": "MISC",
+                "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-hh6j-j73p-cp3h",
+        "discovery": "UNKNOWN"
    }
 }