Skip Navigation

Private message security issue for Lemmy 0.18.5

github.com Any authenticated user may obtain private message details from other users on the same instance

### Summary Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message it...

Any authenticated user may obtain private message details from other users on the same instance

Users can brute-force their way into reading private messages with Lemmy versions below 0.19.1. I know there was the question of federation issues previously, but it appears to have been largely mitigated with the later versions at this point. Are there any plans to upgrade pawb.social?

0
0 comments