File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected.
This issue has been patched in version 2.61.1.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c41009…
security-advisories@github.com
https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1
security-advisories@github.com
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7…
security-advisories@github.com