228 matches found
GHSA-R64R-5H43-26QV Any authenticated user may obtain private message details from other users on the same instance
Summary Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to loudly obtain all private messages of an...
Design/Logic Flaw
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
CVE-2024-23649
CVE-2024-23649 affects Lemmy 0.17.0 up to 0.19.0 (vulnerable) with a patch available in 0.19.1. The issue allows any authenticated user to obtain arbitrary private message contents by calling the API at /api/v3/private_message/report; the response can include the private message itself and, in so...
CVE-2024-23649 Any authenticated user may obtain private message details from other users on the same instance
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
Stored XSS on user "Write private message" function
Description An attacker can inject malicious executable scripts into the code of the message field. Proof of Concept Log in as a Member user, access Messages - Write private message function for sending admin a message.COde Insert this payload into the message field testscriptprompt'1'/script the...
CVE-2023-30417
A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...
CVE-2023-30417
A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...
Cross site scripting
A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...
CVE-2023-30417
A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...
CVE-2023-30417
A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...
CVE-2023-0453
The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...
CVE-2023-0453
The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...
Code injection
The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...
CVE-2023-0453 WP Private Message < 1.0.6 - Private Message Disclosure via IDOR
The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...
CVE-2023-0453 WP Private Message < 1.0.6 - Private Message Disclosure via IDOR
The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...
CVE-2023-0453
CVE-2023-0453 affects the WP Private Message WordPress plugin (bundled with the Superio theme) prior to version 1.0.6. The root cause is insecure direct object references: private messages could be accessed by tampering the message_id value, allowing any authenticated user to view another user’s ...
WordPress WP Private Message Plugin < 1.0.6 is vulnerable to Insecure Direct Object References (IDOR)
Software WP Private Message Type Plugin Vulnerable versions 1.0.6 Fixed in 1.0.6 OWASP Top 10 A5: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2023-0453 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID c5646ba0a8f7 Credits Veshraj...
WP Private Message < 1.0.6 - Private Message Disclosure via IDOR
The plugin bundled with the Superio theme as a required plugin does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID. - Install the Superio theme an...
CVE-2023-0549
A vulnerability, which was classified as problematic, has been found in YAFNET up to 3.1.10. This issue affects some unknown processing of the file /forum/PostPrivateMessage of the component Private Message Handler. The manipulation of the argument subject/message leads to cross site scripting. T...
CVE-2023-0549 YAFNET Private Message PostPrivateMessage cross site scripting
A vulnerability, which was classified as problematic, has been found in YAFNET up to 3.1.10. This issue affects some unknown processing of the file /forum/PostPrivateMessage of the component Private Message Handler. The manipulation of the argument subject/message leads to cross site scripting. T...