GHSA-mvf6-3f2g-xfxf: endroid/qr-code-bundle File Disclosure via logo_path query parameter
Versions of endroid/qr-code-bundle prior to 3.4.2 are affected by a security vulnerability that allows disclosure of files through the logo_path query parameter. The vulnerability arises from the improper handling of non-image data as the logo, which could lead to unintended file disclosure.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/endroid/qr-code-bundle/2019-12-22.yaml
- github.com/advisories/GHSA-mvf6-3f2g-xfxf
- github.com/endroid/qr-code-bundle
- github.com/endroid/qr-code-bundle/commit/51928eaaa30e7db1fd3f1076744dcbc8f8cec8c8
- github.com/endroid/qr-code-bundle/releases/tag/3.4.2
Detect and mitigate GHSA-mvf6-3f2g-xfxf with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →