CVE-2023-28876 in Fileruninfo

Summary

by MITRE • 12/06/2023

A Broken Access Control issue in comments to uploaded files in Filerun through Update 20220202 allows attackers to delete comments on files uploaded by other users.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/07/2025

The vulnerability CVE-2023-28876 represents a critical broken access control flaw within the Filerun file management system, specifically affecting the comment functionality for uploaded files. This issue exists in versions up to and including Update 20220202, creating a significant security risk for organizations relying on the platform for document collaboration and file sharing. The flaw stems from insufficient authorization checks when processing comment deletion requests, allowing unauthorized users to manipulate comments associated with files they do not own. This vulnerability directly violates fundamental security principles of access control and privilege management, creating a pathway for malicious actors to disrupt collaborative workflows and potentially gain insights into other users' activities within the system.

The technical implementation of this vulnerability occurs at the application level where the Filerun system fails to properly validate user permissions before executing comment deletion operations. When a user attempts to delete a comment on an uploaded file, the system should verify that the requesting user either owns the file or has appropriate administrative privileges to modify comments. However, the current implementation lacks this crucial authorization check, allowing any authenticated user to submit deletion requests for comments on files owned by other users. This represents a clear violation of CWE-285, which addresses improper authorization within software applications, and aligns with ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing attachments, as attackers could exploit this to disrupt legitimate user interactions and potentially escalate their access privileges.

The operational impact of CVE-2023-28876 extends beyond simple data manipulation, as it creates opportunities for more sophisticated attacks that could compromise the integrity of collaborative environments. Attackers could systematically remove comments that contain sensitive information, audit trails, or important project discussions, thereby undermining the security and reliability of the file management system. This vulnerability also enables potential information disclosure through the deletion of comments that might reference other users, file locations, or project details, effectively creating a form of data exfiltration through destructive means. Organizations using Filerun for sensitive document management, legal proceedings, or regulated environments face particular risk as this flaw could violate compliance requirements for data integrity and auditability, potentially leading to regulatory penalties and legal consequences.

Mitigation strategies for CVE-2023-28876 should prioritize immediate implementation of proper access control mechanisms within the Filerun platform. Organizations must ensure that all comment deletion operations include robust authorization checks that verify the requesting user's relationship to the target file and comment. This involves implementing proper user session validation, file ownership verification, and privilege escalation controls that align with the principle of least privilege. The recommended approach includes updating to the latest version of Filerun where this vulnerability has been patched, implementing network-level access controls to limit exposure, and conducting thorough security audits of all comment-related functionalities. Additionally, organizations should establish monitoring procedures to detect unauthorized comment deletion attempts and implement logging mechanisms that track all access control violations. These measures directly address the underlying CWE-285 weakness and help prevent the exploitation patterns described in ATT&CK framework techniques related to privilege escalation and unauthorized access. The vulnerability serves as a reminder of the critical importance of implementing comprehensive access control validation mechanisms throughout application logic, particularly in collaborative environments where multiple users interact with shared resources.

Reservation

03/27/2023

Disclosure

12/06/2023

Moderation

accepted

CPE

ready

EPSS

0.00483

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!