Description
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers.
Remediation
References
Related Vulnerabilities
WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2019-16335)
Java Unspesificed Vulnerability (CVE-2019-2684)
Ruby Improper Restriction of XML External Entity Reference Vulnerability (CVE-2021-28965)
Oracle Database Server Other Vulnerability (CVE-2005-3437)
MySQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-3319)