Improper Access Control in chocobozzz/peertube

Valid

Reported on

Jan 8th 2022


Description

Unauthenticated users can obtain comments on private videos

Proof of Concept

Vísit the following API link where 123 is the ID of the private video:

/api/v1/videos/123/comment-threads

Response contains all the comments on that private video.

Impact

This vulnerability disclosure comments on private videos to unauthenticated users.

We are processing your report and will contact the chocobozzz/peertube team within 24 hours. 18 days ago
We have contacted a member of the chocobozzz/peertube team and are waiting to hear back 17 days ago
duongdpt modified their report
17 days ago
chocobozzz validated this vulnerability 16 days ago
duongdpt has been awarded the disclosure bounty
The fix bounty is now up for grabs
chocobozzz confirmed that a fix has been merged on 84c8d9 16 days ago
chocobozzz has been awarded the fix bounty