Impact
The UserBookmarkSerializer serialized the whole User / Group object which leaked some private information.
The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff.
Patches
A patch has been created and applied internally.
Workarounds
No, upgrading the plugin to 1.0.1 is required.
CvX Analyst
Impact
The UserBookmarkSerializer serialized the whole User / Group object which leaked some private information.
The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff.
Patches
A patch has been created and applied internally.
Workarounds
No, upgrading the plugin to 1.0.1 is required.