CVE-2023-40168

MEDIUM Year: 2023
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-863
View all →

Vulnerability Description

TurboWarp is a desktop application that compiles scratch projects to JavaScript. TurboWarp Desktop versions prior to version 1.8.0 allowed a malicious project or custom extension to read arbitrary files from disk and upload them to a remote server. The only required user interaction is opening the sb3 file or loading the extension. The web version of TurboWarp is not affected. This bug has been addressed in commit `55e07e99b59` after an initial fix which was reverted. Users are advised to upgrade to version 1.8.0 or later. Users unable to upgrade should avoid opening sb3 files or loading extensions from untrusted sources.

Related Vulnerabilities

CVE-2009-2213

MEDIUM
CVSS:6.5(Medium)

The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Author...

CWE-8632009

CVE-2011-3617

MEDIUM
CVSS:6.5(Medium)

Tahoe-LAFS v1.3.0 through v1.8.2 could allow unauthorized users to delete immutable files in some cases.

CWE-8632011

CVE-2014-0169

MEDIUM
CVSS:6.5(Medium)

In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to acce...

CWE-8632014

CVE-2015-1780

MEDIUM
CVSS:6.5(Medium)

oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center

CWE-8632015

CVE-2016-3131

MEDIUM
CVSS:6.5(Medium)

Cloudera CDH before 5.6.1 allows authorization bypass via direct internal API calls.

CWE-8632016

CVE-2016-6353

MEDIUM
CVSS:6.5(Medium)

Cloudera Search in CDH before 5.7.0 allows unauthorized document access because Solr Queries by document id can bypass Sentry document-level security via the RealTimeGetHandler.

CWE-8632016