Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users

Summary Users with the Guest role could receive private sub-object data e.g. private alternate names, private addresses, private note/citation/media handles through list API endpoints such as GET /api/people/, GET /api/places/, GET /api/events/, and all other object list endpoints. This does not...

Information Exposure

Overview gramps-webapi is an A RESTful web API for the Gramps genealogical database. Affected versions of this package are vulnerable to Information Exposure in the iter process. An attacker can access private sub-object data attached to otherwise-public objects by querying list API endpoints as ...