XenForo implements temporary attachments without additional constraints to view them, with the guest posting feature this sadly can be trivially exploited for spam:
Upload images in the quick editor and never post a reply. Use the URL of those images in an email for various phishing attacks. The URL points to your forum (images are uploaded to your server).
I've noticed that when a post is submitted with an attachment_hash present, no validation is performed to check that the hash was generated for the same content-editor, or worse yet, even the same user account.
In the worst case, although highly unlikely, this can allow a user to "steal" attachments that were uploaded by another user and associate them to their post first (either they know the hash or they guessed the hash).
An easier example: a user with access to multiple accounts can use this to circumvent quotas on one account, if the quota has not been reached on the other account...
In short, my analysis was that it was possible to use temporary attachments to bypass some permissions and quotas. I had not considered the SPAM angle. Temporary attachments should be tied to a specific user account / guest session, AND should be tied to a specific editor session (new post in forum X) which can be verified using some kind of editor hash for the content-type/context/container combination.
