How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion due to insufficient validation of access permissions.

Such unauthorized access to potentially sensitive documents could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict control over access to personal or protected health information.

However, the provided information does not explicitly state the impact on compliance with these standards.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability exists in PdfDing, a self-hosted PDF manager, viewer, and editor. Before version 1.7.1, the function check_shared_access_allowed() only verified if a user session existed but did not check whether the shared PDF was inactive due to expiration, exceeded maximum views, or was soft-deleted. Because the Serve and Download endpoints rely solely on this function, users who were previously authorized could still access shared PDF content even after it should have been inaccessible due to expiration, view limits, or deletion.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow unauthorized continued access to shared PDF documents beyond their intended availability period or usage limits. Users who should no longer have access due to expiration, maximum view counts, or deletion can still view or download the content. This could lead to unintended information disclosure or data leakage.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade PdfDing to version 1.7.1 or later, where the issue has been patched.

Useful 0 Not Useful 0