{"vulnerability": "GHSA-R64R-5H43-26QV", "sightings": [{"uuid": "07cf16c1-6d98-453d-9af9-4d7118d0328b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-R64R-5H43-26QV", "type": "seen", "source": "https://t.me/ctinow/187208", "content": "https://ift.tt/O8e5BYC\nCVE-2024-23649 | Lemmy up to 0.19.0 API report improper authorization (GHSA-r64r-5h43-26qv)", "creation_timestamp": "2024-02-18T10:48:47.000000Z"}, {"uuid": "0e52a7aa-63d9-4f65-b010-48c07c1f7e35", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-R64R-5H43-26QV", "type": "seen", "source": "https://t.me/ctinow/173128", "content": "https://ift.tt/RkJ4mO0\n[GHSA-r64r-5h43-26qv] Any authenticated user may obtain private message details from other users on the same instance", "creation_timestamp": "2024-01-24T22:27:17.000000Z"}, {"uuid": "8425f1f3-1446-4f13-b7f2-bbb09c3cc3b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-R64R-5H43-26QV", "type": "seen", "source": "https://t.me/arpsyndicate/3064", "content": "#ExploitObserverAlert\n\nGHSA-r64r-5h43-26qv\n\nDESCRIPTION: Exploit Observer has 2 entries in 2 file formats related to GHSA-r64r-5h43-26qv. Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports.", "creation_timestamp": "2024-01-26T20:37:12.000000Z"}]}