We are reporting a issue where emailed links from Oracle Fusion (from BIP/ESS) are of the format: /xmlpserver/servlet/outputDocument?outputid=17084&content_type=xlsx
We are concerned that these links are simply an auto incremented number, which bad actors can simply increment to browse for available files, particularly if the output needs to be shared to multiple people and must be therefore set to Public rather than Private.
Why is this not using a GUID or other strong random ID rather that a basic incremented integer. This is very bad practice and there should be a way to deliver them a report with a sufficiently long and complex URL to make it not easily guessable
