Incomplete removal of team invitation link from the list of participants.

mrsaganash

When you delete a link, it is only deleted from the roster, but the ndjson files associated with it remain, which means you can request information from them directly from the websocket server.

mrsaganash

I'm currently trying to rewrite the invite link removal process to fix this vulnerability. If I get it, I'll include a patch in the next post.

Perhaps the best solution would be to use a password when creating the invitation link and not share it with the link.

Mathilde

Hello!

Thanks for your interest in CryptPad and for sharing your findings!

You indeed identified a bug in our software. Our developers will take a look at this and it'll be fixed. Would you care to fill an issue on our GitHub repository? It will then be tracked from there and a pull request will be made to fix it.

We can also fill the issue ourselves if you prefer.
Best regards,