File Browser Insecure Direct Object Reference Vulnerability in Share Deletion Functionality

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the File Browser application, specifically in versions through 2.45.0. This vulnerability resides within the share deletion feature, where authenticated users with share permissions can delete links shared by other users without proper authorization checks. The absence of these checks allows for the deletion of shared files and links, potentially disrupting business operations, causing data loss in collaborative environments, and violating data confidentiality agreements. In organizational contexts, this could hinder essential file sharing for projects, presentations, or document collaboration.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of shared links, leading to disruption of file sharing services, potential data loss, and violation of confidentiality agreements regarding shared information.

Reproduction

To reproduce this vulnerability, two authenticated user accounts (User A and User B) with share permissions are needed. User A creates a share link and obtains the share hash. User B, after authenticating and receiving a valid JWT token, sends a DELETE request to the share endpoint with their token. The request is processed without authorization, allowing User B to delete User A's share link.

Remediation

Users can update to File Browser version 2.45.1, which addresses this vulnerability.