You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
The streamProgress SSE endpoint is missing the user-null check present in its sibling getProgress. It also sets Access-Control-Allow-Origin: *, making it subscribable from any cross-origin page. Any unauthenticated or cross-origin request can subscribe to any operationId and receive real-time progress updates for another user's import/sync operation.
Scenario:
Attacker tricks admin into visiting a malicious page while the admin runs a large import.
The page subscribes to the SSE stream with the operation ID (discoverable or brute-forced).
Real-time progress data (file names, counts, error messages) streams to the attacker.
Suggested fix:
Authenticate the request and return 401 if user is null.
Bind operationId to the authenticated user so that cross-user subscriptions are rejected.
Remove the wildcard Access-Control-Allow-Origin: * header.
Severity: HIGH
Location:
lib/Controller/SettingsController.phplines 1237–1330 (streamProgress)Description:
The
streamProgressSSE endpoint is missing the user-null check present in its siblinggetProgress. It also setsAccess-Control-Allow-Origin: *, making it subscribable from any cross-origin page. Any unauthenticated or cross-origin request can subscribe to anyoperationIdand receive real-time progress updates for another user's import/sync operation.Scenario:
Suggested fix:
operationIdto the authenticated user so that cross-user subscriptions are rejected.Access-Control-Allow-Origin: *header.Source: deep team-reviewer pass 2026-05-27