CVE-2024-30265

Voilà Local file inclusion

Description

Collabora Online is a collaborative online office suite based on LibreOffice technology. Any deployment of voilà dashboard allow local file inclusion. Any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voilà is deployed. This issue has been patched in 0.2.17, 0.3.8, 0.4.4 and 0.5.6.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.23%
Affected: voila-dashboards voila
Published at:
Updated at:

References

Link Tags
https://github.com/voila-dashboards/voila/security/advisories/GHSA-2q59-h24c-w6fg
https://github.com/voila-dashboards/voila/commit/00d6362c237b6b4d466873535554d6076ead0c52
https://github.com/voila-dashboards/voila/commit/28faacc9b03b160fd8fa920ad045f4ec0667ab67
https://github.com/voila-dashboards/voila/commit/5542e4ae36bb5d184deaa48f95e76be477756af2
https://github.com/voila-dashboards/voila/commit/98b6a40fec27723572314fdbba99bdc147d904c8
https://github.com/voila-dashboards/voila/commit/c045be6988539d07cceeb9f82fc660a49485d504

Frequently Asked Questions

What is the severity of CVE-2024-30265?
CVE-2024-30265 has been scored as a high severity vulnerability.
How to fix CVE-2024-30265?
To fix CVE-2024-30265, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-30265 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-30265 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-30265?
CVE-2024-30265 affects voila-dashboards voila.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.