By ganx on Wednesday, 23 May 2018
Replies 6
Likes 0
Views 0.9K
Votes 0
Hi guys, think this is a security issues that needs pretty urgent attention.

People not logged in have direct access to the following link:

https://WEBSITE.co.za/component/rsvppro/?task=attendees.list&atd_id[0]=200|0&itemid=362&repeating=1&limit=-10
Hello,

What are your RSVP Pro configuration settings for permissions for public/guests ?

Many thanks
Tony
·
6 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
As an example I have tested:

/index.php?option=com_rsvppro&task=attendees.list&atd_id[]=1|0&repeating=1&Itemid=242

Which just returns a blank content area.

Many thanks
Tony
·
6 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi, They were all Inherited (Not allow) have set them to DENIED now as well, but page still displaying..will do a few more tests my side.
·
6 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
Also, what version of RSVP Pro are you using?
·
6 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
Sorry..the notification for new messages has been in spam.
Jevents 3.4.46 Stable
And RSVP 3.4.20
Joomla 3.8.5
·
6 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
Can you upgrade to Joomla! 3.8.8 just because and it should work fine.

Failing that, please provide super user logins and how to recreate the issue.

Many thanks
Tony
·
6 years ago
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post