New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug]: Unauthorized Access to /uploads Exposing Images Publicly #3694
Comments
Hi @hadran9, thank you for reporting this. We are already working on it as a priority. We will keep you posted on the update. |
Hello @srinivaspendem and @pablohashescobar, |
@srinivaspendem and @pablohashescobar, However, during the upgrade, I encountered a new issue, as shown in the attached screenshot. When attempting to open the image via its URL, I encountered the following: This issue seems to affect only the old images. New images that I upload do not encounter this problem. Could you please provide some insight into this? Should I create a new ticket for this issue? |
@hadran9, this would be the images that were uploaded before you changed the |
@pablohashescobar Given that the current issue has been resolved, I will proceed to close it. However, is there any other open issues for the old images that are not functioning correctly after the upgrade? |
Is there an existing issue for this?
Current behavior
This issue requires urgent attention due to its potential security implications.
Upon navigating to the
/upload
endpoint, it has come to my attention that all images are publicly accessible without the necessity for user authentication.The exposure of these images could potentially be linked to the public status of some projects, or it may be a default behavior across all Plane projects. This issue warrants immediate attention as it poses a significant information disclosure vulnerability.
This issue has been previously reported in issue #2252, dating back to September, but it appears to have been left unresolved.
Steps to reproduce
/upload
endpoint.Browser
Google Chrome
Version
Self-hosted
The text was updated successfully, but these errors were encountered: