It looks like you're new here. If you want to get involved, click one of these buttons!
it's too bad this was not reported directly to the admins of the software rather than placed in the community. But once the cat is out of the bag we are all vulnerable...
Sick of people ranting about how I should have reported it to the vendor first when they do not know the situation. I have a message thread with Todd, Lincoln, UnderDog dating back to June 2012 where I report all my findings to them, these vulnerabilities and MORE which I did not release publicly were reported on the 14th of May 2013 , to which he replied
"Thanks so much for this. We actually just got roughly the same report and have a fix ready for the 2.0.18 branch, but I'm still in the process of fixing it for our 2.1 branch." .
Tested on a local install of 22.214.171.124. Haven't tested anywhere else so it could be just me.
If you include an image like so
<img src="http://yourforum.org/vanilla/discussion/bookmark/24514/"> anyone that views the page will automatically bookmark the thread of id 24514. The original book mark url contains the transient hash but removing it doesn't seem to stop it from working for me.
Can anyone else verify this or is it just happening to me?