Home > Vulnerability Database > WS-2020-0336

Mend.io Vulnerability Database

WS-2020-0336

Date: August 19, 2025

There's an security issue in prosody-filer before version 1.0.1 which leads to unwanted directory listings of download directories. An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than /upload/ (or the corresponding user defined root dir) Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.

Language: Go

Severity Score

5.8

Related Resources (3)

Url: https://github.com/ThomasLeister/prosody-filer/commit/7dff0209f563414ced7584120dd7070ce2044155

Url: https://github.com/ThomasLeister/prosody-filer/security/advisories/GHSA-qmfx-75ff-8mw6

Url: https://www.mend.io/vulnerability-database/WS-2020-0336

Severity Score

5.8

Weakness Type (CWE)

Improper Access Control

CWE-284

Files or Directories Accessible to External Parties

CWE-552

CVSS v3.1

Base Score:	5.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2020-0336

Date: August 19, 2025

Language: Go

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?