![]() This includes the content, date, number and attributes added by other extensions. The `mentionsPosts` relationship included in the `POST /api/posts` and `PATCH /api/posts/` JSON responses leaks the full JSON:API payload of all mentioned posts without any access control. The following behavior never changes no matter if the actor should be able to read the mentioned post or not: A URL to the mentioned post is inserted into the actor post HTML, leaking its discussion ID and post number. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special syntax. As a workaround, avoid visiting unknown source pages.įlarum is a forum software for building communities. Cookie SameSite strategy was set to Lax in version 2.1.0. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. ![]() Prior to version 2.1.0, a low-privileged user can create a special web page. Apollo is a configuration management system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |