CVE-2023-45210 is an improper access control vulnerability identified in Implem Inc.'s Pleasanter product, specifically affecting versions 1.3.47.0 and earlier. Pleasanter is a collaborative platform often used for project management and workflow organization. The vulnerability allows a remote attacker who has authenticated access to the system to view temporary files uploaded by other users, even if those users are not authorized to access those files. This issue arises due to insufficient enforcement of access control policies on temporary file storage, categorized under CWE-284 (Improper Access Control). The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. According to the CVSS v3.1 scoring, it has a base score of 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L), with no impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability primarily compromises confidentiality by exposing potentially sensitive temporary files to unauthorized authenticated users, which could lead to information leakage or privacy violations within organizations using Pleasanter.

For European organizations using Pleasanter, this vulnerability poses a risk of unauthorized disclosure of sensitive or confidential information contained in temporary uploaded files. Since the attacker must be authenticated, the threat is mainly from insider threats or compromised user accounts. The exposure of temporary files could lead to leakage of intellectual property, personal data protected under GDPR, or other sensitive business information. This could result in reputational damage, regulatory penalties, and loss of trust. The impact is particularly significant for sectors handling sensitive data such as finance, healthcare, legal, and government institutions within Europe. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have serious compliance and operational consequences under European data protection laws.

European organizations should immediately review their use of Pleasanter and identify if they are running affected versions (1.3.47.0 or earlier). Until an official patch is released, organizations should implement strict access controls at the network and application layers, including limiting authenticated user privileges to the minimum necessary. Monitoring and logging access to temporary file storage areas should be enhanced to detect unauthorized access attempts. Organizations should also consider isolating the Pleasanter environment and restricting upload and file sharing functionalities to trusted users only. Regular audits of user permissions and session management should be conducted to reduce the risk of compromised accounts. Additionally, organizations should engage with Implem Inc. for updates on patches or workarounds and plan for timely application of fixes once available. Employing Data Loss Prevention (DLP) tools to monitor and control sensitive data exposure through temporary files can also mitigate risks.