Just now I tried to change my call sign in the support center. After submitting my request, I found that the work order feedback page provided by QRZ and the attachments uploaded by the user were not authenticated, which means that non-logged-in/unauthorized users can access the user's work order and submitted attachments through parameter enumeration, which may include the user's identity and license documents. This is very dangerous. Moreover, the attachment interface does not impose any restrictions at all, and its parameters are extremely simple, making it easier for illegal access to the data. I hope that the forum maintainers can promptly notice these issues and take corresponding measures. Thank you!
