{"id":"CVE-2020-12687","details":"An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users (including administrators) from the database.","modified":"2026-04-02T02:10:43.861887Z","published":"2020-05-07T16:15:11.267Z","references":[{"type":"FIX","url":"https://github.com/SerpicoProject/Serpico/commit/0b8600414976a5ad733604c7b1428071baf239c2"},{"type":"FIX","url":"https://github.com/SerpicoProject/Serpico/releases/tag/1.3.3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/buffalowill/serpico","events":[{"introduced":"0"},{"fixed":"0b8600414976a5ad733604c7b1428071baf239c2"},{"fixed":"667a4853ecd0b01e2d40166269f3b1e916a480d5"}]},{"type":"GIT","repo":"https://github.com/serpicoproject/serpico","events":[{"introduced":"0"},{"fixed":"667a4853ecd0b01e2d40166269f3b1e916a480d5"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.3.3"}]}}],"versions":["1.0","1.1.0","1.1.1","1.2.1","1.2.2","1.2.2.1","1.3.0","1.3.1","1.3.1.0","1.3.1.1","1.3.1.2","BH2016Alpha","BH2017_1.2.0_Alpha","v1.3.2-pre"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12687.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}