I confirmed that this does affect Essex. An authenticated user can force a delete to be scheduled for an image he does not own if it is public or has been explicitly shared with him. The vulnerability does not apply in the case that delayed_delete is disabled.
I confirmed that this does affect Essex. An authenticated user can force a delete to be scheduled for an image he does not own if it is public or has been explicitly shared with him. The vulnerability does not apply in the case that delayed_delete is disabled.