Impact

An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability in the file manager's bulk transfer by manipulating job IDs to upload malicious files, potentially compromising the integrity and security of the system.

Details

When users upload files to the server, a job ID is generated to track the file upload operation. However, it has been discovered that this job ID can be manipulated by an attacker. This vulnerability enables an attacker, under the guise of a legitimate user, to hijack and control the file upload process.

Steps to reproduce the vulnerability are as follows:

• A legitimate user initiates a file upload process, during which a unique job ID is generated for the operation.
• An attacker, possessing the job ID, crafts a malicious POST request.
• The manipulated file upload job executes successfully under the guise of the legitimate user's session, resulting in the unauthorized file being uploaded to the system.

Patches

Safe versions: >= v3.10.6

Workarounds

It is recommended to upgrade the safe versions.
The attacker could not manipulate the job ID, and the file upload process would be secure.

References

Thanks for @secur30nly report this issue