Description
Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app information endpoint, exposing sensitive geolocation data. Attackers can upload images containing EXIF metadata to extract geographic location information and other embedded metadata from uploaded files.
Problem types
Exposure of Sensitive Information to an Unauthorized Actor
Product status
Any version before 12.128.2
12.128.2 (semver)
References
github.com/.../capgo/security/advisories/GHSA-62jm-xp28-x4xw (GitHub Security Advisory (GHSA-62jm-xp28-x4xw))
www.vulncheck.com/...xposure-in-app-information-image-upload (VulnCheck Advisory: Capgo - EXIF Metadata Exposure in App Information Image Upload)