Page 1 of 1

Potential security issue with file endpoint

Posted: Mon Feb 03, 2020 10:19 am
by anovak

I have noticed that GET file endpoint can retrieve any file even if candidate id and file id do not match.
Can someone confirm me if this in on purpose? Why we need to enter candidate id if we can retrieve file with just file id? .

Example: curl ... e/3835/231

Candidate 3835 do not need to match to file id 231 to get this file.

Thank you,