File Browser: Out-of-scope file deletion by a Create-only scoped user via symlink-following RemoveAll in upload failure-cleanup
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope (other tenants' data, and the application's own database) via the upload failure-cleanup path. ScopedFs.RemoveAll is the one dereferencing operation that skips the symlink guard every other method enforces. The direct-upload handler runs RemoveAll on the user-controlled path during failed-upload cleanup, gated only by Perm.Create. If an escaping directory symlink already exists inside the user's scope, an authenticated create-only user can delete an out-of-scope target, bypassing both the ScopedFs boundary and the Perm.Delete gate. This vulnerability is fixed in 2.63.16.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-22 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE | CWE-59 | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
Type: CWE
Description: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
Description: CWE-59: Improper Link Resolution Before File Access ('Link Following')
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 8.2 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H |
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H