A user can escalate privileges and edit his previous comments, when comments are disabled for a video.
Steps to verify: 1. Log into vimeo.com as Alice. Upload a video (say, video id - 118026546) and allow anyone to leave comments for that video . 2. Login as Bob and navigate to the video URL - https://vimeo.com/118026546. 3. Leave a comment. Edit that comment and capture the request using burp proxy. Captured request looks like -
POST /118026546 HTTP/1.1 Host: vimeo.com [...] text=abcd&action=edit_comment&comment_id=12984882&token=[...]