Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability allows any person with access to a particular appellant's appeal key to view the appeal regardless of if it is oversighted (i.e. marked invalid). This impacts appellants, who can view information they should not be able to, as well as administrators, whose responses should not be visible to anyone once an appeal is oversighted. This issue only exposes oversighted information to the end-user entering the appeal key when that user is not authenticated in the system using OAUTH (as is the case with appellants).
Patches
Has the problem been patched? What versions should users upgrade to?
As of 11 February 2023, this has not been patched.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No. There is no workaround without upgrading.
References
Are there any links users can visit to find out more?
No.
Red-tailed-Hawk Analyst
dqwiki Analyst
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability allows any person with access to a particular appellant's appeal key to view the appeal regardless of if it is oversighted (i.e. marked invalid). This impacts appellants, who can view information they should not be able to, as well as administrators, whose responses should not be visible to anyone once an appeal is oversighted. This issue only exposes oversighted information to the end-user entering the appeal key when that user is not authenticated in the system using OAUTH (as is the case with appellants).
Patches
Has the problem been patched? What versions should users upgrade to?
As of 11 February 2023, this has not been patched.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No. There is no workaround without upgrading.
References
Are there any links users can visit to find out more?
No.