There was no server side validation for the length parameter, so one could just change the parameter in the URL and fetch more information from the server at once than what the developer would have intended.
It's not that the user does not have access to that information, as he can just keep going page after page, so I wouldn't consider this a "security" issue.
But it can indeed be a "performance" issue, if some user started requesting millions of rows at the same time when you allowed MAX 30 for example, in your page length menu.
As reported in https://github.com/Laravel-Backpack/community-forum/discussions/939#discussioncomment-9129888
There was no server side validation for the
length
parameter, so one could just change the parameter in the URL and fetch more information from the server at once than what the developer would have intended.It's not that the user does not have access to that information, as he can just keep going page after page, so I wouldn't consider this a "security" issue. But it can indeed be a "performance" issue, if some user started requesting millions of rows at the same time when you allowed MAX 30 for example, in your page length menu.