Severity: Low/Medium Description: In the sendMessage controller, the backend does not verify if the receiverId actually exists in the users collection before creating the message. Impact: An attacker can forge requests to send messages to random or non-existent ObjectIDs. These messages will be saved in the database permanently as orphaned documents, wasting database storage.
Severity: Low/Medium Description: In the sendMessage controller, the backend does not verify if the receiverId actually exists in the users collection before creating the message. Impact: An attacker can forge requests to send messages to random or non-existent ObjectIDs. These messages will be saved in the database permanently as orphaned documents, wasting database storage.