![]() An attacker only needs the ability to create new posts on the forum to exploit the vulnerability. This includes the content, date, number and attributes added by other extensions. The `mentionsPosts` relationship included in the `POST /api/posts` and `PATCH /api/posts/` JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. The following behavior never changes no matter if the actor should be able to read the mentioned post or not: A URL to the mentioned post is inserted into the actor post HTML, leaking its discussion ID and post number. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special syntax. ![]() ![]() Flarum is a forum software for building communities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |