Impact
Who is impacted?
This vulnerability allows for the public exposure of appeals to the general public, provided that one has the full url of the appeal including the query string, as the query string contains the full appeal key. If the ticket is open, this would allow an individual to falsely post as if they were the appellant. This potentially affects every user, and it allows for permanent, public internet archiving of appeals by anyone with access to the full url, thereby exposing appellants to unknown risks.
The query string for the URL could be saved in the browser's history, passed through referrers to other web sites, stored in web logs, or otherwise recorded in other sources. As the query string contains sensitive information (the appeal keys), attackers can use this information to launch impersonation attacks indefinitely.
Patches
Has the problem been patched? What versions should users upgrade to?
There is no patch as of 11 February 2023.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The only remediation is to never share the full url of one's appeal to anyone, as the full url contains the appeal key.
References
Are there any links users can visit to find out more?
No. Please do not attempt to find these on internet archive websites.
Red-tailed-Hawk Analyst
Impact
Who is impacted?
This vulnerability allows for the public exposure of appeals to the general public, provided that one has the full url of the appeal including the query string, as the query string contains the full appeal key. If the ticket is open, this would allow an individual to falsely post as if they were the appellant. This potentially affects every user, and it allows for permanent, public internet archiving of appeals by anyone with access to the full url, thereby exposing appellants to unknown risks.
The query string for the URL could be saved in the browser's history, passed through referrers to other web sites, stored in web logs, or otherwise recorded in other sources. As the query string contains sensitive information (the appeal keys), attackers can use this information to launch impersonation attacks indefinitely.
Patches
Has the problem been patched? What versions should users upgrade to?
There is no patch as of 11 February 2023.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The only remediation is to never share the full url of one's appeal to anyone, as the full url contains the appeal key.
References
Are there any links users can visit to find out more?
No. Please do not attempt to find these on internet archive websites.