» Published on Tue, 22 Feb 2022 09:00:00 +0000

• Resolved

  Closed.

  » Updated Wed, 15 Jun 2022 09:15:00 +0000

• Post-Mortem

  We recently discovered missing authorization when accessing channels and Personal Access Tokens through the Account API. This vulnerability made it possible to access, both read and write, channels and Personal Access Tokens that the user should not have access to. Only authenticated users were potentially able to exploit it, and it required active measures by guessing valid database IDs.

  The vulnerability was discovered internally and fixed within hours. The fix was deployed some days before this disclosure.

  Our records do not indicate that the vulnerability has been exploited.

  » Updated Thu, 17 Feb 2022 08:00:00 +0000