Quassel core (server daemon) in Quassel IRC prior to 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
quassel-irc quassel irc |
||
quassel-irc quassel irc 0.9.0 |