Security problem with user mentionning

  • Affected App
    WoltLab Suite Forum


    When you mention someone, the link that is created includes your token key.

    The problem is when someone follow the link he is logged on the first user's account (because of the token). Therefore, the second user have all rights of the first (if he his an administrator, you imagine the disaster...)

    So I think you should considered an account as connected only if he has a SESSION variable and that the token is OK with the session.


Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!