Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-014: Front end UploadField exposes lists of assets

Severity:
Low (?)
Identifier:
SS-2014-014
Versions Affected:
3.1
Versions Fixed:
3.1.7
Release Date:
2014-11-08

When used on a front-end form, it's possible for an UploadField to be exploited to expose the list of files within an assets subdirectory to users who do not have permission to view those files.

Thanks to Filype Pereira for reporting.