Scoold Feedback Deletion Vulnerability Allowing Cross-Account Deletion

A vulnerability in Scoold, prior to version 1.66.1, allows authenticated users with low privileges to delete feedback posts from other users. This issue arises because the feedback deletion feature, accessible via POST /feedback/{id}/delete, verifies authentication but fails to check ownership or require moderator/admin authorization before allowing deletions. As a result, a non-privileged user could successfully remove a feedback item from a victim account, with the deletion immediately reflected in the feedback views.

Impact

Exploitation of this vulnerability allows any logged-in user to delete feedback posts from other users, leading to unauthorized removal of content and disruption of the platform's feedback system.

Reproduction

To reproduce this vulnerability, log in with a low-privilege account and send a POST request to the feedback deletion endpoint, including the ID of a feedback post belonging to another user. The targeted feedback post will be deleted without any authorization checks.

Remediation

Users can update to Scoold version 1.66.1 or later, where this vulnerability has been patched.