PingPong Improper Access Control Vulnerability Allowing Unauthorized File Retrieval or Deletion
Vulnerability
A vulnerability in PingPong prior to version 7.27.2 allows authenticated users to retrieve or delete files beyond their authorized access. This issue could lead to the unauthorized access or removal of private files, including user-uploaded content and files generated by models. Exploitation of this vulnerability required authentication and, for retrieval, permission to view at least one thread; for deletion, permission to participate in at least one thread.
Impact
Exploitation of this vulnerability could result in unauthorized access to or deletion of private files, including user-uploaded and model-generated output files.
Remediation
Users are advised to upgrade to PingPong version 7.27.2 or later. If an immediate upgrade is not possible, access to thread file download, image download, and file deletion endpoints should be restricted until the update can be applied.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.