In tangro Business Workflow prior to 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
tangro business workflow |