| Titel | La Suite Numerique messages 0.2.0 IDOR |
|---|
| Beschreibung | An authenticated user can read the contents of any email thread in the system by sending a single PATCH request that pivots their ThreadAccess record from a thread they legitimately own to an arbitrary target thread. The permission check validates the thread before the update; the serializer writes the new thread value without re-checking authorization.
Any authenticated user in a multi-tenant deployment can exfiltrate the complete contents of any other user's threads without the knowledge of the victim.
This includes private correspondence, board-level discussions, attachments, and any other content stored as email threads |
|---|
| Quelle | ⚠️ https://github.com/suitenumerique/messages/security/advisories/GHSA-7476-6crq-4cw9#event-552396 |
|---|
| Benutzer | djnn (UID 95848) |
|---|
| Einreichung | 25.02.2026 13:43 (vor 2 Monaten) |
|---|
| Moderieren | 07.03.2026 21:07 (10 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 349717 [suitenumerique messages 0.2.0 ThreadAccess serializers.py ThreadAccessSerializer schwache Authentisierung] |
|---|
| Punkte | 20 |
|---|