Full path and username disclosure in public links

Aug 2, 2021

  • Risk: low
  • CVSS v3 Base Score: 4.3
  • CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CWE ID: CWE-209
  • CWE Name: Generation of Error Message Containing Sensitive Information
  • CVE: CVE-2021-35947


By appending certain characters to the query parameters of a public share link an error could be triggered which would display the internal path and username of the share owner.


  • core < 10.8.0

Action taken

Properly handle the error and show a generic error message.