no access restrictions to provide reviews from users who are not allowed to provide reviews
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: ghifari898, Unassigned)
Details
(Keywords: reporter-external)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Steps to reproduce:
go to https://addons.thunderbird.net/en-us/seamonkey/addon/downthemall/
and you only need a login to do a review.
Actual results:
Hi team, I got a vulnerability that is quite detrimental to your users, this vulnerability gives access to anyone (who hasn't downloaded it yet) to provide a review of the addons
Expected results:
you should not give access to users who have not downloaded the addons for their review, and only allow users who have downloaded it to provide reviews
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 2•3 years ago
|
||
sorry, there was an error.
vulnerable url is https://addons.mozilla.org/id/firefox/
|
||
Comment 3•3 years ago
|
||
Neither we nor Firefox track who downloads for privacy and other reasons, so there is no way to restrict addon reviews in the way you suggest.
This isn't a security issue, so removing sec flag. Also, add-on site issues should be reported using the link in the page footer of https://addons.mozilla.org/
|
|
Reporter | |
Comment 4•3 years ago
|
||
This is so disappointing, how can someone arbitrarily leave a review without downloading, with the intention of, for example, lowering someone's rating? this regardless of abuse. are you going to let this go on and allow someone to arbitrarily leave a review without downloading?
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•1 year ago
|
Description
•