GHSA-588F-FVCV-XHVF Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books
Summary GET /api/books/bookID/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the service runs the query with Unscoped bypassing GORM's soft-delete scope but keeps the read-authorization clause as "ownerid = ? OR ispublic = ?". As ...