Product
An authorization bypass vulnerability exists in FlaskBB through version 2.2.0, allowing authenticated moderators to perform unauthorized administrative actions such as locking, unlocking, deleting, or hiding topics in forums they do not control. This is achieved by crafting batch requests that include a low-ID topic from a permitted forum, which bypasses permission checks applied only to the first item, and then executing actions on topics from unmoderated forums.