Threat of Unauthenticated User Reading Unauthorized UI resources
|Security Advisory Date||June 9, 2021|
|Vulnerability Type||Limited Arbitrary Fie Read|
Low, because the user (authenticated or not) is able to read only zip files within the FileCloud installation.
|Versions affected||All versions of FileCloud prior to 188.8.131.5206, on-premises installations in Windows only.|
|Version fixed||FileCloud Version 184.108.40.20606|
On Windows, the core/ui endpoint potentially enabled an unauthenticated user to read the contents of a zip file within the FileCloud installation.
The latest version of FileCloud fixes this by treating the string as invalid and returning a bad request error.
This has been fixed in FileCloud version 220.127.116.1106, which prevents sending of the request.
What you should do
- If you are using a FileCloud on-premises installation in Windows, please update it to the latest version, which is 18.104.22.16806 or greater.
- If you are using FileCloud online or using FileCloud on a non-Windows system, you are not affected.
If you have any questions about this advisory, please contact FileCloud support.