Flatnotes Denial-of-Service Vulnerability via Image Upload
Vulnerability
A denial-of-service vulnerability has been identified in Flatnotes versions prior to 5.3.1. The issue arises in the image upload function, where authenticated users can upload images in a way that disrupts service. This not only affects the usability of the application but also interferes with other API functions and can lead to server-wide denial-of-service conditions.
Impact
Exploitation of this vulnerability causes a denial-of-service condition on the server, disrupting normal operations and potentially affecting all users.
Reproduction
To reproduce this vulnerability, log into the Flatnotes application and navigate to the image upload feature. Upload an image file, such as a PNG, while simultaneously including a large amount of extraneous data in the same request. This can be done by appending a significant volume of unnecessary information, which will overwhelm the server's processing capabilities. Once the upload is complete, the application will become unresponsive, and other API interfaces will be inaccessible.
Remediation
Users can update the 'python-multipart' dependency to the latest version to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.