This requires a vid to be sent with guest requests and forces both roundtriptoken and owasp csrf to be on for guest interactions. This means that the vid would need to be known or guessed and that the two tokens would have to be leaked from an active browser session for possible attack. The roundtriptoken is unique for each new transfer created, the owasp csrf is a session based token.
This is described in detail in section 5.1.7 of the recent security audit.
This was resolved with https://github.com/filesender/filesender/pull/1268
This requires a vid to be sent with guest requests and forces both roundtriptoken and owasp csrf to be on for guest interactions. This means that the vid would need to be known or guessed and that the two tokens would have to be leaked from an active browser session for possible attack. The roundtriptoken is unique for each new transfer created, the owasp csrf is a session based token.
This is described in detail in section 5.1.7 of the recent security audit.