The birthday (date and month, but not year) and name of people that allowed their birthday to be displayed to other members, might have been available to non-members via the API on /api/calendarjs/birthdays. This indirectly also shows that this person has been a member.
Impact
Low
Who are affected
Members that have had the ‘Show your birthday to other members on your profile page and in the birthday calendar’ option enabled on their profile.
Patches
This problem exists since aff25b0 which was released in v35 on March 1st 2021. This is fixed in the v44 release of the website, released November 23rd 2022.
Workarounds
- Disabling the
display birthday feature for all member profiles
- Block the
/api/calendarjs/birthdays route on webserver level
For more information
If you have any questions or comments about this advisory:
Gulianrdgd Analyst
tmgdejong Analyst
The birthday (date and month, but not year) and name of people that allowed their birthday to be displayed to other members, might have been available to non-members via the API on
/api/calendarjs/birthdays. This indirectly also shows that this person has been a member.Impact
Low
Who are affected
Members that have had the ‘Show your birthday to other members on your profile page and in the birthday calendar’ option enabled on their profile.
Patches
This problem exists since aff25b0 which was released in v35 on March 1st 2021. This is fixed in the v44 release of the website, released November 23rd 2022.
Workarounds
display birthdayfeature for all member profiles/api/calendarjs/birthdaysroute on webserver levelFor more information
If you have any questions or comments about this advisory: