Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0727: Check video privacy when creating comments/rates · Chocobozzz/PeerTube@6ea9295

Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0.

CVE
Open in Source
#git

@@ -19,10 +19,14 @@ const expect = chai.expect describe('Test video comments API validator’, function () { let pathThread: string let pathComment: string
let server: PeerTubeServer
let video: VideoCreateResult
let userAccessToken: string let userAccessToken2: string
let commentId: number let privateCommentId: number let privateVideo: VideoCreateResult @@ -203,9 +207,8 @@ describe('Test video comments API validator’, function () {
it('Should fail with an incorrect video’, async function () { const path = ‘/api/v1/videos/ba708d62-e3d7-45d9-9d73-41b9097cc02d/comment-threads’ const fields = { text: ‘super comment’ } const fields = { text: ‘super comment’ }
await makePostBodyRequest({ url: server.url, path, @@ -215,10 +218,21 @@ describe('Test video comments API validator’, function () { }) })
it('Should fail with a private video of another user’, async function () { const fields = { text: ‘super comment’ }
await makePostBodyRequest({ url: server.url, path: ‘/api/v1/videos/’ + privateVideo.shortUUID + '/comment-threads’, token: userAccessToken, fields, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) })
it('Should succeed with the correct parameters’, async function () { const fields = { text: ‘super comment’ } const fields = { text: ‘super comment’ }
await makePostBodyRequest({ url: server.url, path: pathThread, @@ -230,6 +244,7 @@ describe('Test video comments API validator’, function () { })
describe('When adding a comment to a thread’, function () {
it('Should fail with a non authenticated user’, async function () { const fields = { text: ‘text’ @@ -276,6 +291,18 @@ describe('Test video comments API validator’, function () { }) })
it('Should fail with a private video of another user’, async function () { const fields = { text: ‘super comment’ }
await makePostBodyRequest({ url: server.url, path: ‘/api/v1/videos/’ + privateVideo.uuid + ‘/comments/’ + privateCommentId, token: userAccessToken, fields, expectedStatus: HttpStatusCode.FORBIDDEN_403 }) })
it('Should fail with an incorrect comment’, async function () { const path = ‘/api/v1/videos/’ + video.uuid + ‘/comments/124’ const fields = {

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE