VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 14, 2023· Updated Feb 6, 2025

CVE-2023-29850

CVE-2023-29850

Description

SLiMS Bulian v9.5.2 fails to strip EXIF data from uploaded images, exposing user geolocation and device information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SLiMS Bulian v9.5.2 fails to strip EXIF data from uploaded images, exposing user geolocation and device information.

Vulnerability

The vulnerability is a missing sanitization of EXIF (Exchangeable Image File Format) metadata in uploaded images. When a user uploads a photo via the membership profile page at /admin/index.php?mod=membership, the application stores the image with its original EXIF data intact. This affects SLiMS Bulian v9.5.2 and earlier versions [1]. The issue is present in the membership module of the admin panel, where profile pictures are accepted without stripping embedded metadata.

Exploitation

An attacker with admin-level access to the SLiMS panel can upload an image containing EXIF geolocation and device information via the membership profile upload feature. Alternatively, an attacker who can view the profile of another user can download that user's uploaded image and extract the EXIF data using any online or offline tool (e.g., verexif.com) [1]. No authentication is needed beyond the ability to view the uploaded image's public URL. The attacker simply inspects the image URL from the page source, fetches the file, and parses its EXIF tags.

Impact

The impact is exposure of sensitive personal information. The attacker can obtain the uploader's precise geolocation (GPS coordinates embedded by the device camera), device name, OS version, software version, and other camera/device metadata [1]. This violates user privacy and, if GPS coordinates are revealed, may enable physical tracking or social engineering attacks. The confidentiality breach is considered critical by the reporter.

Mitigation

As of the publication date (2023-04-14), no official patch or fixed version has been released. The SLiMS project has acknowledged the issue in GitHub issue #186 [1]. Administrators should implement a manual EXIF stripping step for all uploaded images, either by configuring the web server or applying a server-side script (e.g., using exiftool or PHP's exif_read_data/exif_imagetype with removal). Until a patched version is distributed, the CMS remains vulnerable to this information disclosure.

References
  1. EXIF Geolocation Data Not Stripped From Uploaded Images

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • SENAYAN/Library Management System (SLiMS)description
  • Slims/9 Bulianllm-fuzzy
    Range: = 9.5.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing EXIF metadata stripping on image upload allows sensitive geolocation and device information to persist in stored images."

Attack vector

An attacker with access to a member profile photo can extract EXIF metadata from the uploaded image. The attacker first uploads an image containing EXIF data (e.g., from public EXIF sample sets) to a member profile via the admin membership menu [ref_id=1]. By obtaining the direct URL of the uploaded image, the attacker can then use an EXIF viewer (such as verexif.com) to read the embedded metadata, which may include the original uploader's geolocation and device information [ref_id=1]. No authentication beyond the ability to upload a profile photo is required.

Affected code

The issue is in the image upload functionality of the membership module. The affected URL is `http://127.0.0.1/bulian/admin/index.php?mod=membership` [ref_id=1]. The application does not strip EXIF metadata from uploaded images before storing them.

What the fix does

No patch is provided in the bundle. The advisory [ref_id=1] identifies that SLiMS Bulian v9.5.2 does not strip EXIF data from uploaded images. The remediation would require the application to remove or sanitize EXIF metadata (including GPS coordinates and device information) from images at the point of upload, before storing them on the server.

Preconditions

  • authAttacker must have access to upload an image to a member profile via the admin membership menu
  • inputThe uploaded image must contain EXIF metadata (e.g., geolocation, device info)
  • networkAttacker must be able to retrieve the direct URL of the stored uploaded image

Reproduction

1. Log in to the SLiMS Bulian v9.5.2 admin panel and navigate to the membership menu at `http://127.0.0.1/bulian/admin/index.php?mod=membership` [ref_id=1]. 2. Obtain an image with EXIF data (e.g., from https://github.com/ianare/exif-samples/tree/master/jpg) [ref_id=1]. 3. Upload the image to any member's profile. 4. Retrieve the direct URL of the uploaded image (by right-clicking the image and copying the address, or inspecting the HTML) [ref_id=1]. 5. Open the image URL in an EXIF viewer such as https://www.verexif.com/en/index.php to confirm the EXIF data is still present [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.