Potential Sensitive Data Exposure in FileCloud

Security Advisory DateFebruary 15, 2021
Vulnerability TypeSensitive Data Exposure (for more information, see https://owasp.org/www-project-top-ten/)
Severity factorsAgent must be able to log in to the local network 
Versions affectedFileCloud Version 15 through FileCloud Version 20.3.1
Version fixedFileCloud Version


The security issue involved users whose folder permissions in FileCloud denied them access to a folder's sub-folders, but whose share permissions allowed them access to the same folder's sub-folders. Since these users could see actions on the sub-folders in their activity streams, they were able to view the names (but not the content) of the sub-folders and the files and folders they contained.  If sub-folders or their files were named using confidential information, unauthorized users could see the confidential information, and in this way, it would be shared and possibly exploited.


This has been fixed in FileCloud version so that users who are not given access to sub-folders cannot see the sub-folder names.

What you should do

If you have any questions about this advisory, please contact FileCloud support