Summary
A user with no view rights on a page may see the content of an office attachment displayed with the view file macro.
Details
If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no matter the display type used.
PoC
- Install and activate the Pro Macros application
- Create a page and limit the view rights for a test user
- Add an attachment to the restricted page
- Create a new public page
- Add the view file macro and select the attachment from the restricted page using any display type
- Login as the test user with restricted view rights
- The user will see the content despite having no view rights
Workarounds
None
Impact
Private data can be leaked if a user knows the reference to an attachment and has edit rights on a page.
Summary
A user with no view rights on a page may see the content of an office attachment displayed with the view file macro.
Details
If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no matter the display type used.
PoC
Workarounds
None
Impact
Private data can be leaked if a user knows the reference to an attachment and has edit rights on a page.