h5ai Security Advisory:

Release Date: 2014-06-22

Affected versions: 0.22.0 - 0.24.1

Fixed In: 0.25.0

CVE: CVE-2015-3203

Description:

A Security flaw was found in the way h5ai allowed arbitrary files to be
uploaded onto a server via its experimental "file upload" feature. The file
upload functionality was implemented as browser side Javascript code that
talked with an AJAX server-side API. While the function was turned off in the
config, this setting only affected the generation of the browser-side
Javascript UI; the server-side API was still active.

An attacker could still talk to the API and upload files at will to sites
running vulnerable h5ai versions, and pontentially compromise the web site.

All h5ai users are advised to upgrade to the fixed version.