.svg)
Threat of Unauthenticated User Reading Unauthorized UI resources
|
Security Advisory Date |
June 9, 2021 |
|
Vulnerability Type |
Limited Arbitrary Fie Read |
|
Severity factors |
Low, because the user (authenticated or not) is able to read only zip files within the FileCloud installation. |
|
Versions affected |
All versions of FileCloud prior to 21.1.1.15106, on-premises installations in Windows only. |
|
Version fixed |
FileCloud Version 21.1.1.15106 |
Description
On Windows, the core/ui endpoint potentially enabled an unauthenticated user to read the contents of a zip file within the FileCloud installation.
The latest version of FileCloud fixes this by treating the string as invalid and returning a bad request error.
Fix
This has been fixed in FileCloud version 21.1.1.15106, which prevents sending of the request.
What you should do
-
If you are using a FileCloud on-premises installation in Windows, please update it to the latest version, which is 21.1.1.15106 or greater.
-
If you are using FileCloud online or using FileCloud on a non-Windows system, you are not affected.
If you have any questions about this advisory, please contact FileCloud support.