Skip to:
Content
Pages
Categories
Search
Top
Bottom

BuddyPress – Friends Requests


  • ozzidoesnotlikeregistration
    Participant

    @ozzidoesnotlikeregistration

    5 years, 8 months ago

    I would like to report the following bug resulting in information disclosure.

    There is a missing permission checks on: …/boss/members/{username}/friends/requests/?new

    Earlier versions, (confirmed in 1.3.3): …/boss/members/{username}/friends/requests-inbound/

    One can see friend requests of any user, it shows the button too, but fortunately it does not work.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Venutius
    Moderator

    @venutius

    5 years, 8 months ago

    Which plugin are you referring to here? I don’t recognise those links as part of BuddyPress, there’s not a requests-inbound endpoint in BP that I’m aware of, where does the boss part come from? same with requests/?new the bp default is simplt requests. When I try to access another users friend requests, I get an unauthorised notice.


    ozzidoesnotlikeregistration
    Participant

    @ozzidoesnotlikeregistration

    5 years, 8 months ago

    BudsyBoss sent me here, I don’t know whose code this is, fact is its broken 😀
    Which version are you using?


    Venutius
    Moderator

    @venutius

    5 years, 8 months ago

    I’m using the latest version of BuddyPress, version 4.2. What plugin are you referring to when you say it’s version 1.3.3?

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Topic Info

Skip to toolbar