You are viewing limited content. For full access, please sign in.



Please explain download link sharing vulnerability

asked on September 1, 2021

Just received notification about a security vulnerability for self-hosted forms users (problems with the download link sharing feature).  From what I understand, if a public user attaches a file to a public form, someone else can open the same public form and download the attached file.

I tried this and, when I close the form before submitting it, the attachment is lost.  Anyone new going to the form just sees a blank new instance of the form. 

Likewise, the form closes automatically after submission and can't be re-opened in the public space.  If it is still in process, the attachment can only be seen by a user it is assigned to.

Am I missing something - I just don't see the problem? 


replied on September 1, 2021

Refer to KB1014315 and contact Support directly with any follow up questions. We appreciate your time and want to make sure all inquiries are promptly addressed. Please note that Laserfiche Answers is a semi-public forum and sensitive technical details of any vulnerability will not be detailed within such forum.

replied on September 1, 2021

If I am reading this right, it does not say here that anyone could use this exploit to access a file uploaded by another public user, only their own file. So no data is at risk here, only raw disk space. Is this correct?

replied on September 1, 2021

That is correct.

You are not allowed to follow up in this post.