Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0574: Do not allow comments on Article if not published · publify/publify@0e6c66a

Improper Access Control in GitHub repository publify/publify prior to 9.2.8.

CVE
#git

@@ -856,8 +856,9 @@

it “returns only published articles” do

article = create(:article)

create(:comment, article: article)

unpublished_article = create(:article, state: “draft”)

unpublished_article = create(:article)

create(:comment, article: unpublished_article)

unpublished_article.update!(state: “draft”)

expect(described_class.published).to eq([article])

expect(described_class.bestof).to eq([article])

end

@@ -955,6 +956,17 @@

context “when auto_close setting is zero” do

let(:auto_close_value) { 0 }

it “does not allow comments for a draft article” do

art = build :article, state: "draft", blog: blog

assert art.comments_closed?

end

it “does not allow comments for an article that will be published in the future” do

art = build :article, state: "publication_pending",

published_at: 1.day.from_now, blog: blog

assert art.comments_closed?

end

it “allows comments for a newly published article” do

art = build :article, published_at: 1.second.ago, blog: blog

assert !art.comments_closed?

Related news

CVE-2022-42984: GitHub - nhiephon/Research

WoWonder Social Network Platform 4.1.4 was discovered to contain a SQL injection vulnerability via the offset parameter at requests.php?f=search&s=recipients.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907