In pre-4.7 versions of Episerver Forms it is possible to have form submissions accessible to all front end users. End users may find confidential form data in search results so steps should be take to avoid this.
Update your Episerver.Forms Nuget package to at least 4.7.0.
DescriptionEpiserver has out-of-the-box field validation for file type, file size, and number of files uploaded but it does not have magic number/signature audit. This article contains recommendations for additional magic number file upload security.ResolutionProcessing application requests in the global.asax and validating the request for upload at that time.
The supported file extensions in Episerver can be seen here.
Find a database of signature codes (that is up-to-date) and build a d...
DescriptionThis article describes the step needed to set the secure flag on the episerver login cookie.ResolutionSetting “requireSSL” on the EPiServer login form in the web.config resolves the issue.
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />