Advisory: 2020-01 SMS 2FA Set a phone number


FileCloud installations that have SMS based 2FA enabled does not have any validation when setting a phone number for a user account.

Any unauthenticated user can reset the phone number of a FileCloud user in the system by sending the username and phone number with an invalid verification code. This will require the attacker to know the correct username of the user account that exists in the FileCloud. 


This has been fixed in FileCloud versions later. 

If you are using FileCloud on premise installation, please update to the latest version.

If you are using FileCloud online, your site has already been updated to the latest version.