CVE-2019-14280

MEDIUM

Craft <2.7.10-3.2.6 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-14280. PoCs published by Mohammed Abdul Raheem.

AI-analyzed exploit summary This is a writeup describing an information disclosure vulnerability in CraftCMS where EXIF geolocation data from uploaded images is not stripped, potentially exposing sensitive user information. The document provides steps to validate the vulnerability and references a PoC video.

Description

In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.

Exploits (1)

exploitdb WRITEUP
by Mohammed Abdul Raheem · textwebappsphp
https://www.exploit-db.com/exploits/47343

This is a writeup describing an information disclosure vulnerability in CraftCMS where EXIF geolocation data from uploaded images is not stripped, potentially exposing sensitive user information. The document provides steps to validate the vulnerability and references a PoC video.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: CraftCMS v2 before 2.7.10 and v3 before 3.2.6
Auth required
Prerequisites: Access to a CraftCMS account · An image with EXIF geolocation data
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/craftcms/cms/blob/develop-v2/CHANGELOG-v2.md#2710---2019-07-24
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23

Scores

CVSS v3 5.3
EPSS 0.0797
EPSS Percentile 94.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
craftcms/craft_cms 2.0.2524 - 2.7.10
Published Jul 26, 2019
Tracked Since Feb 18, 2026