File attachment under salaries module can be downloaded and viewed by anyone without authentication by just knowing the full path (/assets/FileUploads/2022/staff_2/*) and the predictable filename (contains date (YYYY-MM-DD) and a random 6 digit number which can be easily enumerated by automated tool using list of all possible 6 digit combinations). File attachment under salaries module may contain confidential salary information and other sensitive data of the intended owner.
Example: http://X.X.X.X/assets/FileUploads/2022/staff_2/payslip_2023-04-05_021223.jpg