Noa Tchoumak

Name of the Vulnerable Software and Affected Versions Wimi Teamwork On-Premises versions prior to 8.2.0 Description Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference issue in the `/preview.php` endpoint. The `item id` parameter does not have sufficient authorization checks. Attackers can enumerate sequential `item id` values to access and retrieve image previews from other users' private or group conversations, leading to unauthorized disclosure of sensitive information. Recommendations Update to version 8.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Wimi Teamwork versions prior to 7.38.17 **Description** The software contains a cross-site request forgery (CSRF) issue in its API. The API accepts authenticated requests containing a JSON field named `csrf token` without validating its value, only checking for its presence. An attacker can create a cross-site request that causes a logged-in victim’s browser to submit a JSON POST containing an arbitrary or empty `csrf token`, leading the API to execute the request with the victim’s privileges. Exploitation could allow an attacker to perform actions as the victim, potentially resulting in account takeover, privilege escalation, or service disruption. **Recommendations** Update Wimi Teamwork to version 7.38.17 or later.