From c62b794bd1698d2fc2a6842955f340c8861ca80f Mon Sep 17 00:00:00 2001
From: John-Weak <tusharbali11@gmail.com>
Date: Tue, 12 Nov 2024 17:45:45 +0530
Subject: [PATCH 1/2] add session check to upload

---
 frontend/express/app.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/frontend/express/app.js b/frontend/express/app.js
index 06f9b736362..110daa7830a 100644
--- a/frontend/express/app.js
+++ b/frontend/express/app.js
@@ -603,6 +603,10 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
     app.use(function(req, res, next) {
         var contentType = req.headers['content-type'];
         if (req.method.toLowerCase() === 'post' && contentType && contentType.indexOf('multipart/form-data') >= 0) {
+            if (!req.session?.uid || Date.now() > req.session?.expires) {
+                res.status(401).send('Unauthorized');
+                return;
+            }
             var form = new formidable.IncomingForm();
             form.uploadDir = __dirname + '/uploads';
             form.parse(req, function(err, fields, files) {

From aff4668345d43d739eb2c4baecc71b64a515a4ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Art=C5=ABrs=20Kadi=C4=B7is?= <kadikis.arturs@gmail.com>
Date: Tue, 12 Nov 2024 20:08:27 +0200
Subject: [PATCH 2/2] changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ec855873ba1..d13dc75baa6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ Enterprise fixes:
 - [nps] Fixed bug in the editor where the "internal name" field was not mandatory
 - [ratings] Fixed UI bug where "Internal name" was not a mandatory field
 
+Security:
+- Fixing minor vulnerability that would allow for unauthorized file upload
+
 ## Version 24.05.16
 Fixes:
 - [core] Replaced "Users" with "Sessions" label on technology home widgets