Collabora KodExplorer Improper Authorization Vulnerability in File Upload Endpoint
Vulnerability
A business logic bypass vulnerability has been identified in Collabora KodExplorer versions through 4.52. The issue resides in the file '/app/controller/share.class.php', specifically within the file upload endpoint. This vulnerability allows for improper authorization, enabling remote exploitation. Even when upload permissions are disabled for a shared folder, the application fails to enforce this restriction, allowing unauthorized file uploads into the shared directory.
Impact
Exploitation of this vulnerability could lead to unauthorized file uploads, potentially allowing for the injection of malicious content, phishing files, or tampering with collaboratively shared data.
Reproduction
To reproduce this vulnerability, share a folder and disable upload permissions using the 'canUpload' setting. Then, access the share link and use it to upload files through the 'share/fileUpload' endpoint. This can be done without authentication, bypassing the intended restriction on uploads.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.