Impact
The vulnerability in NewsBlur versions older than 14.5.0 arises from a broken access control. The GET /social/interactions endpoint accepts a user_id parameter without verifying the requester owns that account. As a result, any authenticated user can retrieve the private notification feeds, followed users, replies, and other social activity of another user simply by supplying that user's ID. This is an example of CWE‑639, where a user can access data across ownership boundaries, leading to privacy breaches.
Affected Systems
This flaw affects the NewsBlur application supplied by Samuel Clay, specifically any deployment running a version earlier than 14.5.0. All clients – web, Android, or iOS – that expose the /social/interactions endpoint are potentially vulnerable if they have not applied the 14.5.0 release.
Risk and Exploitability
The CVSS score of 5.3 indicates a medium severity impact, reflecting that exploitation requires the attacker to be authenticated. The EPSS score is not available, but the lack of listing in CISA's KEV catalog suggests no documented exploits at this time. Attackers who have valid credentials could enumerate user IDs and obtain sensitive notification data through repeated calls to the endpoint. The vulnerability is plausible for any user who can log in, so the risk is elevated in environments with many authenticated users.
OpenCVE Enrichment