HGiga OAKlouds File Download Vulnerability Allows Attackers to Download and Delete Files Without Authentication

CVECVE-2024-26261
CVSScvssV3_1: 9.8
SourceCVE-2024-26261

HGiga OAKlouds, a cloud storage solution, has a vulnerability that allows attackers to download and delete files without logging in.

The issue is located in certain modules that handle file downloads. By manipulating request parameters, an attacker can specify a file path and download the file. Even more concerning is that the file is automatically deleted after it’s downloaded.

This presents a serious risk as it gives unauthenticated attackers full control over files without any authorization. They can extract sensitive documents, images and other content before deleting the evidence.

Cloud storage solutions store a lot of important data, so this is a big security flaw. Users need to make sure they keep their HGiga OAKlouds software updated to the latest version, as developers have likely patched this vulnerability by now. It’s also wise for organizations to review logs and security controls for any unauthorized access during the vulnerable period.

Going forward, companies should thoroughly test parameters and access controls for file downloads. Proper authentication and access restrictions are necessary to prevent this type of arbitrary file reading and deletion by unauthorized parties.

References