Collabora Online Authorization Bypass Vulnerability Allowing Unauthorized Download of Read-Only Files

An authorization bypass vulnerability has been identified in Collabora Online, specifically in the Development Edition prior to 25.04.08.2, as well as in Collabora Online versions prior to 23.05.20.1, 24.04.17.3, and 25.04.7.5. This vulnerability allows users with view-only rights and no download privileges to obtain local copies of shared files. Although the interface does not provide download options, the key combination Ctrl+Shift+S can be used to initiate the download process. This bypasses access restrictions and leads to unauthorized data retrieval, posing a risk of data leakage in corporate and regulated environments.

Impact

Exploitation of this vulnerability violates access control models, allowing unauthorized distribution of confidential documents and creating a false sense of security for file owners who rely on 'view only' mode.

Reproduction

To reproduce this vulnerability, grant a user view-only access to a file with download restrictions in a Nextcloud environment integrated with Collabora Online. The user can then use the Ctrl+Shift+S key combination to download the file, bypassing the access controls.

Remediation

Users can update to Collabora Online Development Edition 25.04.08.2 or Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5 to address this vulnerability.