| Título | La Suite Numerique messages 0.2.0 IDOR |
|---|
| Descrição | An authenticated user can read the contents of any email thread in the system by sending a single PATCH request that pivots their ThreadAccess record from a thread they legitimately own to an arbitrary target thread. The permission check validates the thread before the update; the serializer writes the new thread value without re-checking authorization.
Any authenticated user in a multi-tenant deployment can exfiltrate the complete contents of any other user's threads without the knowledge of the victim.
This includes private correspondence, board-level discussions, attachments, and any other content stored as email threads |
|---|
| Fonte | ⚠️ https://github.com/suitenumerique/messages/security/advisories/GHSA-7476-6crq-4cw9#event-552396 |
|---|
| Utilizador | djnn (UID 95848) |
|---|
| Submissão | 25/02/2026 13h43 (há 2 meses) |
|---|
| Moderação | 07/03/2026 21h07 (10 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 349717 [suitenumerique messages 0.2.0 ThreadAccess serializers.py ThreadAccessSerializer Autenticação fraca] |
|---|
| Pontos | 20 |
|---|