Uploaded image for project: 'Statuspage'
  1. Statuspage
  2. STATUS-719

Users are able to unsubscribe other subscribers from a page

XMLWordPrintable

    • 1
    • Severity 1 - Critical

      Issue Summary

      If a user knows the email address or subscription details of another subscriber, they can go to the page and click on the "Subscribe to updates" button.

      Once they enter the email of the other subscriber and hit subscribe, they are presented with a screen that has the option to change the subscriptions to the components and also the page. They can change component subscriptions, and unsubscribe the user from the page.

      Note: To replicate this, the component subscriptions should be enabled on the page.

      Steps to Reproduce

      1. Use an email address that has already subscribed to the same Statuspage to subscribe via Email.
      2. The page will be redirected to the Subscription Management Panel for this Email Address and you will be able to see the associated Webhook URL and make changes to the preference.

      Expected Results

      Users should not be able to change other users subscription preferences without some form of authentication

      Actual Results

      The page will be redirected to the Subscription Management Panel for this email address and you will be able to make changes to the subscription preferences, or unsubscribe entirely.

      Workaround

      N/A

            29e2f6a24b06 Pradip Acharjee
            99e0d6abe301 Alan Violada
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: