Unauthorized access to reading vulnerabilities reports title WHEN the whole security module is disabled in the project

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3155693 by mateuszek on 2025-05-20, assigned to @katwu:

Report | Attachments | How To Reproduce

Report

1. Description:
I found a scenario where attacker has unauthorized access to reading vulnerabilities reports title WHEN the whole security module is disabled in the project.

I add the PoC video - video1.mp4

video1.mp4

Screenshot - on hover, the title of a private vulnerability within a public project is displayed

I will write the steps soon in the comment of this report.

Best regards,
Mateusz

Impact

Unauthorized access to reading vulnerabilities reports title WHEN the whole security module is disabled in the project

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

video1.mp4

How To Reproduce

Please add reproducibility information to this section:

Edited Jun 17, 2025 by Neil McCorrison