Description

Overleaf is a web-based collaborative LaTeX editor. Overleaf Community Edition and Server Pro prior to version 5.0.7 (or 4.2.7 for the 4.x series) contain a vulnerability that allows an arbitrary language parameter in client spelling requests to be passed to the `aspell` executable running on the server. This causes `aspell` to attempt to load a dictionary file with an arbitrary filename. File access is limited to the scope of the overleaf server. The problem is patched in versions 5.0.7 and 4.2.7. Previous versions can be upgraded using the Overleaf toolkit `bin/upgrade` command. Users unable to upgrade may block POST requests to `/spelling/check` via a Web Application Firewall will prevent access to the vulnerable spell check feature. However, upgrading is advised.

INFO

Published Date :

2024-09-02T16:50:08.305Z

Last Modified :

2024-09-03T14:04:59.459Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-45312 vulnerability.

Vendors Products
Overleaf
  • Overleaf
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-45312.

URL Resource
https://github.com/overleaf/overleaf/commit/b5e5d39c3ad4e7763d42b837738955f8ded4dcd3 cve-icon cve-icon
https://github.com/overleaf/overleaf/security/advisories/GHSA-pxm4-p454-vppg cve-icon cve-icon
https://github.com/overleaf/toolkit cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact