Reports should not be made public
Impact area
Security
Severity
High
Affected elements
Report
Rule ID
SN-0406Impact
When a report is published, the generated URL is public by default, it means the report data could be exposed to anyone including people who are not users. Reports are available until they are unpublished.
Remediation
Share reports using Groups, Users and Roles. To make a report available only to logged in users, set its Sharing setting to Everyone, but do not publish it.
Time to fix
15 min
References
This rule is linked to Common Weakness Enumeration CWE-284 Improper Access Control.