Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0914: Update BookmarkController · pixelfed/pixelfed@ef56f92

Improper Authorization in GitHub repository pixelfed/pixelfed prior to 0.11.4.

CVE
Open in Source
#git#auth

@@ -7,6 +7,7 @@ use Auth; use Illuminate\Http\Request; use App\Services\BookmarkService; use App\Services\FollowerService;
class BookmarkController extends Controller { @@ -24,6 +25,16 @@ public function store(Request $request) $profile = Auth::user()->profile; $status = Status::findOrFail($request->input(‘item’));
abort_if(!in_array($status->scope, ['public’, 'unlisted’, ‘private’]), 404);
if($status->scope == ‘private’) { abort_if( $profile->id !== $status->profile_id && !FollowerService::follows($profile->id, $status->profile_id), 404, ‘Error: Cannot bookmark private posts from accounts you do not follow.’ ); }
$bookmark = Bookmark::firstOrCreate( [‘status_id’ => $status->id], [‘profile_id’ => $profile->id] );

Related news

GHSA-qh6w-pq52-qxxq: Pixelfed may allow unauthorized actor to view private posts

Improper Authorization in GitHub repository pixelfed/pixelfed 0.11.4 and prior.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE