|Vulnerability type||Algorithm Confusion|
This vulnerability has a CVSS score of 9.1 with a critical severity rating.
|Versions affected||FileCloud Versions 22.1 and earlier|
|Version fixed||FileCloud Version 23.1. and later|
In versions of the Firebase PHP-JWT package earlier than 6.0.0, an algorithm confusion issue in the Key ID header allows an attacker to possibly forge tokens, causing the the key to validate them.
These vulnerabilities have been fixed in FileCloud version 184.108.40.20695 which upgrades PHP to version 8.2, which includes a version of Firebase PHP-JWT above 6.0.0.
What you should do to fix this vulnerability
- If you are using FileCloud Server, it is recommended that you update to the latest version, which is 220.127.116.1195 or greater. This will resolve the issue.
- If you are using FileCloud Online, your site has already been updated to the latest version.
If you have any questions about this advisory, please contact FileCloud support.