Menu

#313 Post-Python 3: Non-bureaucrats can create Delete Recognized Domain submissions

v1.0 (example)
open
nobody
None
5
2026-06-08
2026-06-08
Ahasuerus
No

Non-bureaucrat users, including regular editors and moderators, cannot access edit/edit_delete_recognized_domain.cgi, but they can access edit/submit_delete_recognized_domain.cgi to create Delete Recognized Domain submissions.

In addition, non-bureaucrat moderators can approve Delete Recognized Domain submissions. When you combine these two vulnerabilities, they allow non-bureaucrat moderators to delete recognized domains.

Discussion

Anonymous
Anonymous

Add attachments
Cancel





Auth0 Logo