2 matches found
GHSA-5Q8V-J673-M5V4 Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)
Summary The User management API endpoints GET /api/v1/users and GET /api/v1/users/id are accessible to any authenticated user without admin/owner role verification, exposing all users' email addresses, roles, and account status. Affected Endpoints 1. GET /api/v1/users UserController::index, line ...
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)
Summary The User management API endpoints GET /api/v1/users and GET /api/v1/users/id are accessible to any authenticated user without admin/owner role verification, exposing all users' email addresses, roles, and account status. Affected Endpoints 1. GET /api/v1/users UserController::index, line ...