- Risk: low
- CVSS v3 Base Score: 4.3
- CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE ID: CWE-424
- CWE Name: Improper Protection of Alternate Path
- CVE: CVE-2021-35949
Description
The permission check for a file drop (upload only share) could be circumvented by using the shareinfo API. This allowed to see from the files in the filedrop but didn’t allow downloads.
Affected
- core < 10.8.0
Action taken
Properly check the permissions