Users can see "most recent" activity from categories they don't have access to

After upgrading Vanilla to v3.3 (from 2.3), users can see "Most recent" activity from categories they don't have access to: specifically the post title/author/timestamp. This appears in the parent category's "Most recent" post area.

I posted a bug report but haven't heard back yet so thought I'd mention it here in case any other users have run into the issue.

Steps to reproduce the behavior:

  1. Create a sub-category with custom permissions so only members of a certain role can see it.
  2. While logged in as a member who is not of that role, look at the /categories page, at the parent category's "most recent" post area.

Screen recording from fresh install

Tagged:

Comments

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff
    edited February 26

    It seems valid, I'll take a look into how it's getting triaged for you. I will note that generally with security issues the place they get the most attention is on our hackerone bounty program. We have certain timelines for fast we triage things there, and if the issues is of certain severity we pay out bounties.

    I'm not sure if you are eligible for a bounty when they are publicly disclosed though.


    In any case I'll try and get a response this week.

  • Oh wow, I didn't have this as a "security issue" in my mind! Frankly I assumed I was configuring something wrong. Would it be helpful for me to post it on the bug bounty as well?

  • Hi, has there been any update on this security issue?

Sign In or Register to comment.