This affects users who:
- Use OCF (the inbuilt forum)
- Do not have the optional activities addon installed (if you don't know what this is, you don't have it)
The security vulnerability is as follows…
The 'Posts' tab on member profiles does not filter by permissions. Therefore anyone with permission to view your profile can see whatever posts you've made.
This may be of great concern if you have private staff forums.
A fix for this is below (upload this replacement file):
The vulnerability has only just been noticed because most testers have been installing the activities addon, which removes the posts tab in favour of an all-encompassing activities tab, which does check permissions.