A creator can create a newsletter, the followers can subscribe to the newsletter. The owner of the newsletter can view the subscriber list by clicking the “subscriber” button.
Server-side authorization checks are missing on
GET /voyager/api/voyagerPublishingDashSeriesSubscribers?decorationId=com.linkedin.voyager.dash.deco.publishing.SeriesSubscriberMiniProfile-2&count=10&q=contentSeries&seriesUrn=urn%3Ali%3Afsd_contentSeries%3A<NewsletterId>&start=0 HTTP/2"
. This gives an attacker the ability to view the subscriber list of other users’ newsletters by replaying the vulnerable request using the victim NewsletterId
which is public.
NewsletterId
.An attacker can view the subscriber list and details of other users’ newsletters even though it is not possible through the application UI. by just replaying the vulnerable request with the victim’s ``NewsletterId".