CVE-2020-26176

Name of the Vulnerable Software and Affected Versions tangro Business Workflow versions prior to 1.18.1

Description An issue exists where no or broken access control checks are in place on the "/api/document//attachments" API endpoint. This allows an attacker, knowing a document ID, to list all attachments of a workitem, including their respective IDs, potentially gathering valid attachment IDs for workitems that do not belong to them.

Recommendations For versions prior to 1.18.1, update to version 1.18.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/document//attachments" API endpoint to minimize the risk of exploitation.