Just received notification about a security vulnerability for self-hosted forms users (problems with the download link sharing feature). From what I understand, if a public user attaches a file to a public form, someone else can open the same public form and download the attached file.
I tried this and, when I close the form before submitting it, the attachment is lost. Anyone new going to the form just sees a blank new instance of the form.
Likewise, the form closes automatically after submission and can't be re-opened in the public space. If it is still in process, the attachment can only be seen by a user it is assigned to.
Am I missing something - I just don't see the problem?