Mdcoxe

**Name of the Vulnerable Software and Affected Versions** FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable **Description** An incomplete remediation for a previous issue allows disclosure of tokenized download URLs via the `/public/api/share/info` endpoint for password-protected shares. The issue arises because tokenized download URLs are written into the persistent share model and the public endpoint does not clear the `DownloadURL` before returning the share information. This allows an unauthenticated attacker to retrieve password-protected shared files without the password, resulting in authentication bypass and unauthorized file access. The vulnerable endpoint is `/public/api/share/info`, which returns share information including the `DownloadURL`. The `DownloadURL` parameter contains a token that grants access to the shared file. The vulnerable code is located in `backend/http/share.go` (specifically the `convertToFrontendShareResponse` function) and `backend/share.go` (specifically the `shareInfoHandler` method). **Recommendations** Versions prior to 1.3.1-beta must be updated. Versions prior to 1.2.2-stable must be updated. Sanitize the `DownloadURL` in public share info responses by setting `commonShare.DownloadURL = ""` before returning the JSON response in the `shareInfoHandler` method located in `backend/share.go`.