nidico
commented
10 years ago Very interesting finding; as discussed offline, I also couldn't find any significant exploit possibility. Let's do a release soon and inform admins to update their installations soon anyway.
the guard decorator was not thread-safe. This allowed perpetrators to let other users execute controller functions with manipulated parameters. However, I could not find any critical exploits based on this bug.