Advisory: 2020-01 SMS 2FA Set a phone number

Issue:

FileCloud installations that have SMS based 2FA enabled does not have any validation when setting a phone number for a user account.

Any unauthenticated user can reset the phone number of a FileCloud user in the system by sending the username and phone number with an invalid verification code. This will require the attacker to know the correct username of the user account that exists in the FileCloud. 

Solution

This has been fixed in FileCloud versions 19.3.0.6011and later. 

If you are using FileCloud on premise installation, please update to the latest version.

If you are using FileCloud online, your site has already been updated to the latest version.