Duplicate /account/alert page does state mutation via GET

[Xon]

Affected version

2.1.10 Patch 2

It is possible to craft an image link which exploits that the alerts page does state modification on GET, resulting in the victim user all alerts being unexpectedly being marked as read.

Trivial bb-code example; [img]https://xenforo.com/community/account/alerts[/img].

 

[Mike]

This is the same issue as reported here: https://xenforo.com/community/threa...tent-read-without-actually-reading-it.176773/

It is something we handle in 2.2.