Summary
Laserfiche has identified a security vulnerability with self-hosted Laserfiche Forms. A summary of the vulnerability is below. Laserfiche has released a critical security update in order to address the issue. If you have not already applied this update, it should be applied immediately on Laserfiche Forms servers that are accessible from the public Internet or other open networks.
Is this vulnerability being used in an active exploit?
Yes. The vulnerability described here in this advisory is being exploited in a way where an unauthenticated third party can use Laserfiche Forms to temporarily host uploaded files for distribution. Valid customer form submission data is not impacted and is not accessible to the third party. The security updates address this vulnerability by reducing the time frame where the temporary file download link is active.
What is the target for this exploit?
The target for the exploit is Laserfiche Forms installations and process that have a public form that includes a file upload field.
Files uploaded by authenticated users are not affected as the download links will require authentication to access.
Exploitability
See the following exploitability assessment for this vulnerability at the time of original publication.
| Publicly Disclosed | Exploited | Exploitability Assessment |
| Yes | Yes | Exploitation Detected |
Mitigations
We recommend prioritizing installing updates on Laserfiche Forms servers that are externally facing, as the vulnerability can be exploited by unauthenticated users. The following Laserfiche Forms security updates modify the default behavior of public forms to no longer provide a download link.
Security Updates
Diagnostic Tool