Impact
Attachments (files and links) can be created and edited by users without the required permissions being granted.
The various relevant API endpoints did not have the correct permission sets applied, which allows any authenticated user to upload and modify attachments, even if that user does not nominally have the required permissions.
Patches
- Refer to PR #3218
- This patch will be applied to the upcoming 0.8.0 stable release
Workarounds
None
References
For more information
If you have any questions or comments about this advisory:
nhienit2010 Analyst
Impact
Attachments (files and links) can be created and edited by users without the required permissions being granted.
The various relevant API endpoints did not have the correct permission sets applied, which allows any authenticated user to upload and modify attachments, even if that user does not nominally have the required permissions.
Patches
Workarounds
None
References
For more information
If you have any questions or comments about this advisory: