LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NLiquidfiles
APPLiquidfiles3.4.15
Related vulnerabilities
RCE jako root w LiquidFiles — FTP SITE CHMOD z setuid/setgid
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure ...
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality....
LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sys...
HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker ...