CVE-2022-45175

Name of the Vulnerable Software and Affected Versions LIVEBOX Collaboration vDesk versions through v018

Description An issue allows an Insecure Direct Object Reference to occur under the "5.6.5-3/doc/{ID-FILE}/c/{N}/{C}/websocket" endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the ID-FILE of a target file.

Recommendations For LIVEBOX Collaboration vDesk versions through v018, as a temporary workaround, consider restricting access to the "5.6.5-3/doc/{ID-FILE}/c/{N}/{C}/websocket" endpoint until a patch is available. Avoid using the ID-FILE parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.