Description

Unauthenticated users can obtain the caption of private videos

Proof of Concept

1: First, create a private video and upload a caption

2: As an unauthenticated user, logout and visit the

/api/v1/videos/1/captions 

3: The response should return a lazy-static URL

{"total":1,"data":[{"language":{"id":"ase","label":"American Sign Language"},"captionPath":"/lazy-static/video-captions/62569eec-cdf5-4582-9cb0-af07d20d900c-ase.vtt"}]}

4: Visit the lazy-static URL and see you can access captions while unauthenticated.

Impact

This vulnerability is capable of disclosure of captions of private videos to unauthenticated users.