{“lastseen”:””,”description”:”FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise\u2019s file\/folder handling allows low-privilege users to perform unauthorized operations (view\/delete\/modify) on files created by other users. The root cause was inferring ownership\/visibility from folder names (e.g., a folder named after a username) and missing server-side authorization\/ownership checks across file operation endpoints. This amounted to an IDOR pattern: an attacker could operate on resources identified only by predictable names. This issue has been patched in version 1.4.0 and further hardened in version 1.5.0. A workaround for this issue involves restricting non-admin users to read-only or disable delete\/rename APIs server-side, avoid creating top-level folders named after other usernames, and adding server-side checks that verify ownership before delete\/rename\/move.”,”published”:”2025-10-20T17:38:49.999Z”,”modified”:”2025-10-20T18:05:53.350Z”,”type”:”cve”,”title”:”FileRise improper ownership\/permission validation allowed cross-tenant file operations”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/error311\/FileRise\/security\/advisories\/GHSA-6p87-q9rh-95wh\\nhttps:\/\/github.com\/error311\/FileRise\/issues\/53\\nhttps:\/\/github.com\/error311\/FileRise\/commit\/25ce6a76beb60950359c0304765ad91a8aff8ad8″,”id”:”CVE-2025-62509″,”bulletinFamily”:””,”cwe”:[“CWE-280″,”CWE-284″],”cvelist”:null,”sourceData”:”error311 FileRise \\u003c 1.4.0″,”sourceHref”:””,”cvss”:{“score”:8.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”FileRise”,”version”:”\\u003c 1.4.0″,”vendor”:”error311″,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise\u2019s file\/folder…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,52,12,15,13,7,11,5],"class_list":["post-22476","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n