CVE-2024-34829

Name of the Vulnerable Software and Affected Versions Eramba Community versions prior to 3.22.0

Description A bug was found in the /attachments/attachments/download/ API endpoint, allowing arbitrary file download due to a lack of user permission checks. This issue is related to an Insecure Direct Object Reference (IDOR).

Recommendations For versions prior to 3.22.0, update to version 3.22.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /attachments/attachments/download/ API endpoint until a patch is available.