CVE-2020-12687

Name of the Vulnerable Software and Affected Versions Serpico versions prior to 1.3.3

Description An issue was discovered where the "/admin/attacments backup" endpoint can be requested by non-admin authenticated users. This allows an attacker with a user account to retrieve all attachments of all users, including administrators, from the database.

Recommendations For versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/attacments backup" endpoint to only admin users until a patch is applied.