Name of the Vulnerable Software and Affected Versions Saltcorn versions 1.0.0 through 1.0.0-beta.13

Description A user with admin permission can read and download arbitrary zip files when downloading auto backups. The file name used to identify the zip file is not properly sanitized when passed to the res.download API. This issue can lead to information disclosure through arbitrary zip file downloads.

Recommendations For Saltcorn versions 1.0.0 through 1.0.0-beta.13, resolve the filename parameter before checking if it starts with backup file prefix to prevent arbitrary file downloads. As a temporary workaround, consider restricting access to the /admin/auto-backup-download/:filename API endpoint to minimize the risk of exploitation.