The user_entityforms view that ships with the module does not use access restrictions of any kind to secure the data.
There is a filter on the view that maps the logged in user to the data, and this seems adequate to hide results from public view... but it probably isn't.
The view relies on security through obscurity which at the very least means it will trip any security audit checking for unsecured views (which is how this issue came to light for me).
Fixed
2.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Involves, uses, or integrates with views. In Drupal 8 core, use the “VDC” tag instead.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
No activities found.