SCA: security update for save-server (GHSA-wwrj-35w6-77ff)

high Tenable Cloud Security Plugin ID 420163

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF
mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so
version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF attack would
require you to navigate to a malicious site while you have an active session with Save-Server (Session key
stored in cookies). The malicious user would then be able to perform some actions, including
uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly
more severe. They can in addition create, delete and update users. If they updated the password of a user,
that user's files would then be available. If the root password is updated, all files would be visible if
they logged in with the new password. Note that due to the same origin policy malicious actors cannot view
the gallery or the response of any of the methods, nor be sure they succeeded. This issue has been patched
in version 1.0.7. (CVE-2020-15135)

See Also

https://github.com/advisories/GHSA-wwrj-35w6-77ff

Plugin Details

Severity: High

ID: 420163

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

Percentile: 57.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-15135

CVSS v3

Risk Factor: High

Base Score: 7.6

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/4/2020

Vulnerability Publication Date: 8/4/2020

Reference Information

CVE: CVE-2020-15135

cwe: CWE-352