{"id":"CVE-2019-14280","details":"In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.","modified":"2026-04-10T04:12:19.690142Z","published":"2019-07-26T04:15:11.760Z","references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/154276/Craft-CMS-2.7.9-3.2.5-Information-Disclosure.html"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/blob/develop-v2/CHANGELOG-v2.md#2710---2019-07-24"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"64e102b9d2598e92d68e0d5ecc864bc47c38004e"},{"fixed":"2f9ef3ed80295c763eae9d9af96401336d0645a2"},{"introduced":"18263261a5a70f0f84d78db6c4449b6fe304224e"},{"fixed":"02739d27edfc4eea0749ee2c3aedbc91745f998c"}],"database_specific":{"versions":[{"introduced":"2.0.2524"},{"fixed":"2.7.10"},{"introduced":"3.0.0"},{"fixed":"3.2.6"}]}}],"versions":["2.0.2524","2.0.2525","2.0.2527","2.0.2532","2.0.2533","2.0.2535","2.0.2536","2.0.2537","2.0.2538","2.0.2539","2.1.0-alpha.2546","2.1.0-alpha.2547","2.1.0-alpha.2552","2.1.2554","2.1.2555","2.1.2556","2.1.2557","2.2.0-alpha.2578","2.2.2579","2.2.2581","2.3.0-alpha.2600","2.3.0-alpha.2602","2.3.0-alpha.2603","2.3.0-alpha.2605","2.3.0-alpha.2606","2.3.0-alpha.2608","2.3.0-alpha.2610","2.3.0-alpha.2612","2.3.2615","2.3.2616","2.3.2617","2.3.2618","2.3.2620","2.3.2621","2.3.2623","2.3.2624","2.3.2625","2.3.2626","2.3.2627","2.5.0-beta.2717","2.5.0-beta.2720","2.5.0-beta.2722","2.5.0-beta.2724","2.5.0-beta.2727","2.5.2750","2.5.2752","2.5.2753","2.5.2755","2.5.2757","2.5.2759","2.5.2760","2.5.2761","2.6.2771","2.6.2773","2.6.2774","2.6.2776","2.6.2778","2.6.2779","2.6.2780","2.6.2781","2.6.2783","2.6.2784","2.6.2785","2.6.2788","2.6.2789","2.6.2791","2.6.2793","2.6.2794","2.6.2795","2.6.2796","2.6.2797","2.6.2798","2.6.2804","2.6.2903","2.6.2911","2.6.2916","2.6.2922","2.6.2923","2.6.2929","2.6.2930","2.6.2931","2.6.2940","2.6.2944","2.6.2945","2.6.2949","2.6.2950","2.6.2951","2.6.2952","2.6.2953","2.6.2979","2.7.9","3.0.0-RC10.1","3.0.0-alpha.2671","3.0.0-alpha.2681","3.0.0-alpha.2687","3.0.0-alpha.2915","3.0.0-alpha.2918","3.0.0-alpha.2928","3.0.0-alpha.2933","3.0.0-alpha.2937","3.0.0-alpha.2939","3.0.0-alpha.2942","3.0.0-alpha.2948","3.0.26","3.0.26.1","3.0.27","3.0.27.1","3.0.28","3.0.29","3.0.30","3.0.30.1","3.0.30.2","3.0.31","3.0.32","3.0.33","3.0.34","3.0.35","3.0.36","3.0.37","3.1.1","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.16","3.1.17","3.1.17.1","3.1.17.2","3.1.18","3.1.19","3.1.2","3.1.2.1","3.1.2.2","3.1.20","3.1.20.1","3.1.21","3.1.21.1","3.1.22","3.1.23","3.1.24","3.1.25","3.1.26","3.1.27","3.1.28","3.1.29","3.1.3","3.1.30","3.1.31","3.1.32","3.1.32.1","3.1.33","3.1.34","3.1.4","3.1.5","3.1.6","3.1.6.1","3.1.7","3.1.8","3.1.9","3.1.9.1","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.2.4.1","3.2.5","3.2.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14280.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}