Initiative Access Control Vulnerability Allowing Unauthenticated Access to Uploaded Documents
Vulnerability
An access control vulnerability has been identified in Initiative, a self-hosted project management platform, affecting versions prior to 0.32.2. The vulnerability arises because uploaded documents are served from a publicly accessible '/uploads/' directory without any authentication or authorization checks. This allows unauthenticated users, including those in incognito browser sessions, to directly access any uploaded file via its URL, potentially leading to the disclosure of sensitive documents.
Impact
Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive documents uploaded to the Initiative platform.
Remediation
Users can upgrade to Initiative version 0.32.2 or later to address this vulnerability. Instructions for downloading version 0.32.2 are available on the Initiative GitHub Releases page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.