CVE-2019-15129

Name of the Vulnerable Software and Affected Versions Humanica Humatrix versions 1.0.0.203 through 1.0.0.681

Description The issue allows an unauthenticated attacker to access all candidates' files in the photo folder on the website. This can be achieved by specifying a user id parameter and file name in a URI, such as "recruitment online/upload/user/[user id]/photo/[file name]".

Recommendations For versions 1.0.0.203 through 1.0.0.681, restrict access to the "recruitment online/upload/user/[user id]/photo/[file name]" endpoint to prevent unauthorized file access. Avoid using the user id parameter in this endpoint until the issue is resolved.