An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in.Referenceshttps://www.gosecure.net/blog/2020/12/15/vera-stored-xss-improper-access-control/
