GHSA-jmxc-hhwx-gvv3: Private Lemmy instances expose multi-community metadata without authentication
read_multi_community() does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists.
mid = api(“POST”, “/multi_community”, admin, json={ “name”: “m” + suffix, “title”: secret, “summary”: secret + " summary", “sidebar”: secret + " sidebar", }).json()[“multi_community_view”][“multi”][“id”]
References
Code Behaviors & Features
Detect and mitigate GHSA-jmxc-hhwx-gvv3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →