Insecure access controls in Asseco SEE Live 2.0 allow remote attackers to bypass security measures and access sensitive attachments through predictable URL patterns.

This vulnerability affects the Contact Plan, E-Mail, SMS, and Fax components. Due to insecure access control and the use of computable (predictable) URLs, remote attackers can bypass intended authorization checks to download or execute file attachments.

The CVSS score of 9.9 indicates a critical risk to data confidentiality and integrity. Attackers could systematically harvest sensitive documents, personal data, or corporate communications sent via the SEE Live platform, leading to significant regulatory non-compliance and reputational damage.

Immediate Action: Apply the latest security updates provided by Asseco SEE for the Live 2.0 platform to implement robust authorization checks for all attachment access requests.

Proactive Monitoring: Monitor access logs for sequential or high-volume requests to attachment URLs, which may indicate an automated scraping attempt or exploitation of computable URLs.

Compensating Controls: Implement a reverse proxy or WAF that enforces session-based authentication before allowing access to the file-serving endpoints of the application.

Public Exploit Available: false

Organizations using Asseco SEE Live 2.0 for enterprise communications must address this insecure access control flaw immediately. The predictability of resource locations combined with weak authorization creates a significant data breach risk that can only be mitigated through the vendor's official security patches.