Login Sign Up

CVE-2020-29071

9.0 CRITICAL
Cross-Site Scripting

📋 TL;DR

This cross-site scripting (XSS) vulnerability in LiquidFiles allows attackers to execute malicious scripts when users access specially crafted HTML attachments via the -htmlview URL. The impact can range from stealing sensitive email data to gaining root access on the server, depending on the victim's permissions. All LiquidFiles users with the Shares feature enabled are affected.

💻 Affected Systems

Products:
  • LiquidFiles
Versions: All versions before 3.3.19
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Shares feature to be enabled, which is commonly used for file sharing functionality.

📦 What is this software?

Liquidfiles by Liquidfiles

View all CVEs affecting Liquidfiles →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains root access on the LiquidFiles server, potentially compromising the entire system and all encrypted email data.

🟠

Likely Case

Attacker steals session cookies, authentication tokens, or sensitive email content from users who access malicious HTML attachments.

🟢

If Mitigated

Limited to stealing session data from users who click on malicious links, assuming proper network segmentation and user awareness training.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a user to access a malicious HTML attachment via the vulnerable -htmlview endpoint. Public advisory includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.19

Vendor Advisory: https://man.liquidfiles.com/release_notes/version_3-3-x.html

Restart Required: Yes

Instructions:

1. Backup your LiquidFiles configuration and data. 2. Download version 3.3.19 or later from the official LiquidFiles website. 3. Follow the upgrade instructions for your deployment method (appliance, Docker, or manual). 4. Restart the LiquidFiles service.

🔧 Temporary Workarounds

Disable HTML file viewing

all

Temporarily disable the -htmlview functionality or block access to HTML attachments in the Shares feature

Configuration depends on deployment method. Check LiquidFiles admin interface for content filtering options.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to prevent script execution
  • Use web application firewall (WAF) rules to block malicious HTML content and monitor for XSS attempts

🔍 How to Verify

Check if Vulnerable:

Check if LiquidFiles version is below 3.3.19 in the admin interface or via system commands

Check Version:

Check admin dashboard or run: cat /opt/liquidfiles/version.txt (path may vary)

Verify Fix Applied:

Confirm version is 3.3.19 or higher and test that HTML attachments no longer execute scripts when accessed via -htmlview

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to -htmlview URLs
  • Multiple failed attempts to upload or access HTML files

Network Indicators:

  • Suspicious HTML file uploads followed by immediate -htmlview access requests

SIEM Query:

source="liquidfiles" AND (url="*htmlview*" OR file_extension="html") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2020-29071
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: November 25, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29071, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)