resolved
User Email Disclosure via ID-Based Invitation
Bug reported by Mohamed Kamal was disclosed at February 22, 2025, 2:13 am | Information Disclosure
The issue occurs when inviting a user by their WakaTime ID. If a user has set their email to private, their email address was disclosed when they were invited using their ID. This contradicted the privacy settings and led to unintended email exposure.
resolved
Insecure Direct Object Reference (IDOR) in GraphQL deleteProfileImages Mutation
Bug reported by AlphaHacks was disclosed at February 21, 2025, 10:18 pm | Insecure Direct Object Reference (IDOR)
The Insecure Direct Object Reference (IDOR) vulnerability was discovered in the GraphQL deleteProfileImages mutation of the Autodesk User Profile. The vulnerability could have allowed an attacker to delete another user's photo through the "id" parameter. Autodesk has addressed the vulnerability.
resolved
Possible to enumerate valid files in password protected shares/files drop shares as well as spam folder with files
Bug reported by Lukas Reschke was disclosed at February 21, 2025, 10:39 am | Information Disclosure
The summary is as follows:
It was possible to enumerate valid files in password protected shares and file drop shares. Additionally, it was possible to spam the folder with empty files using an attacker-controlled file name. The vulnerability existed in the `DocumentAPIController#create` method, which did not validate whether the share was writable, upload-only, or password protected.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
