@uppy/companion/.../companion@1.3.0 vulnerabilities
OAuth helper and remote fetcher for Uppy's (https://uppy.io) extensible file upload widget with support for drag&drop, resumable uploads, previews, restrictions, file processing/encoding, remote providers like Dropbox and Google Drive, S3 and more :dog:
latest version
5.2.0
latest non vulnerable version
first published
6 years ago
latest version published
6 days ago
licenses detected
- >=0.14.0 <4.0.1
Direct Vulnerabilities
Known vulnerabilities in the @uppy/companion package. This does not include vulnerabilities belonging to this package’s dependencies.
How to fix?
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free| Vulnerability | Vulnerable Version |
|---|---|
@uppy/companion is a server integration for Uppy file uploader. Affected versions of this package are vulnerable to Information Exposure via a debug flag that is set to true by default, a user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name. How to fix Information Exposure? Upgrade | <3.3.1 |
@uppy/companion is a server integration for Uppy file uploader. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). The How to fix Server-side Request Forgery (SSRF)? Upgrade | <1.9.3 |
@uppy/companion is a server integration for Uppy file uploader. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). An attacker can create a host or file and redirect all requests which are being received to a specific internal host. How to fix Server-side Request Forgery (SSRF)? Upgrade | <1.13.2>=2.0.0-alpha.0 <2.0.0-alpha.5 |