TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and…
GitHub_M·CWE-283·Published 2026-03-06
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
### Summary Conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. ### Details Creating a DPA report about another user and leaving the evidence field empty causes that report to look like the reported user self-requested deletion of their data. Ingenuine report is not distinguishable from a genuine one. This can be prevented by disabling [convertEmptyStringsToNull](https://api.laravel.com/docs/12.x/Illuminate/Foundation/Configuration/Middleware.html#method_convertEmptyStringsToNull) in the middleware, or by validating `evidence` in Http/Controllers/DPAController::store() to not be empty. ### PoC New DPA report -> Select "...someone who I suspect is under the age of 13" for the "The above username is..." field -> Add nothing to the "Evidence" field -> Submit ### Impact Potential unauthorized deletion of any arbitrary user's data both in the current system (TSPortal) and subsequent systems if actioned.
### Summary Conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. ### Details Creating a DPA report about another user and leaving the evidence field empty causes that report to look like the reported user self-requested deletion of their data. Ingenuine report is not distinguishable from a genuine one. This can be prevented by disabling [convertEmptyStringsToNull](https://api.laravel.com/docs/12.x/Illuminate/Foundation/Configuration/Middleware.html#method_convertEmptyStringsToNull) in the middleware, or by validating `evidence` in Http/Controllers/DPAController::store() to not be empty. ### PoC New DPA report -> Select "...someone who I suspect is under the age of 13" for the "The above username is..." field -> Add nothing to the "Evidence" field -> Submit ### Impact Potential unauthorized deletion of any arbitrary user's data both in the current system (TSPortal) and subsequent systems if actioned.
TSPortal es la plataforma interna de la Fundación WikiTide utilizada por el equipo de Confianza y Seguridad para gestionar informes, investigaciones, apelaciones y el trabajo de transparencia. Antes de la versión 30, la conversión de cadenas vacías a nulo permitía disfrazar informes de DPA como informes genuinos de autoeliminación. Este problema ha sido parcheado en la versión 30.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | Secondary | GHSA | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 4.0 | Primary | cve.org | 8.4 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H |
| 4.0 | Primary | cve.org | 8.4 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H |
| 4.0 | Secondary | NVD | 8.4 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| 4.0 | Secondary | GHSA | 8.4 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H |