{"uuid": "8425f1f3-1446-4f13-b7f2-bbb09c3cc3b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-R64R-5H43-26QV", "type": "seen", "source": "https://t.me/arpsyndicate/3064", "content": "#ExploitObserverAlert\n\nGHSA-r64r-5h43-26qv\n\nDESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-r64r-5h43-26qv. Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports.", "creation_timestamp": "2024-01-26T20:37:12.000000Z"}