Froala upload endpoint is unsecured

ASWWU-Web / python_server

The API server for ASWWU Web. This project uses the Tornado web framework to serve and manage data across all ASWWU sites.

https://aswwu.com/server

4 stars 10 forks source link

Closed ermsdev closed 5 years ago

ermsdev commented 5 years ago

Arbitrary files may be uploaded to the cms directory without requiring the user to have adequate permissions or to be signed in. Fixed in #116.