Guchihacker

**Name of the Vulnerable Software and Affected Versions** File Browser versions prior to 2.55.0 **Description** File Browser provides a file managing interface for tasks like uploading, deleting, and editing files. A flaw in the `JSONAuth.Auth` function allows unauthenticated attackers to identify valid usernames by observing the response time of the `/api/login` endpoint. This is possible because the authentication logic has a "short-circuit" evaluation. When a username is not found, the function returns quickly, but when a username exists, a slower password verification process using `users.CheckPwd` is executed, creating a measurable timing difference. **Recommendations** Update to version 2.55.0 or later.