-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Medium
-
Affects Version/s: 2.10.0, 3.0.0
-
Component/s: None
We've discovered and fixed a security issue, where the attacker could (using the REST API):
- access the list of patches in a review (their filename, database id upload date and anchor details) without authentication
- access the patch content for any review as long as he had view access to any other review on the server