2 matches found
CVE-2024-23649
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
CVE-2024-23649
CVE-2024-23649 affects Lemmy 0.17.0 up to 0.19.0 (vulnerable) with a patch available in 0.19.1. The issue allows any authenticated user to obtain arbitrary private message contents by calling the API at /api/v3/private_message/report; the response can include the private message itself and, in so...