Improper Access Control in chocobozzz/peertube
Jan 8th 2022
Unauthenticated users can obtain comments on private videos
Proof of Concept
Vísit the following API link where 123 is the ID of the private video:
Response contains all the comments on that private video.
This vulnerability disclosure comments on private videos to unauthenticated users.
We are processing your report and will contact the chocobozzz/peertube team within 24 hours. a year ago
chocobozzz validated this vulnerability a year ago
duongdpt has been awarded the disclosure bounty
The fix bounty is now up for grabs
chocobozzz marked this as fixed in Not released yet with commit 84c8d9 a year ago
This vulnerability will not receive a CVE
to join this conversation