Improper Access Control in chocobozzz/peertube
Valid
Reported on
Jan 8th 2022
Description
Unauthenticated users can obtain comments on private videos
Proof of Concept
Vísit the following API link where 123 is the ID of the private video:
/api/v1/videos/123/comment-threads
Response contains all the comments on that private video.
Impact
This vulnerability disclosure comments on private videos to unauthenticated users.
We are processing your report and will contact the
chocobozzz/peertube
team within 24 hours.
2 years ago
We have contacted a member of the
chocobozzz/peertube
team and are waiting to hear back
2 years ago
duongdpt modified the report
2 years ago
to join this conversation