-
Bug
-
Resolution: Fixed
-
1.16.100.55 Beta, 1.16.1, 1.16.100.59 Beta
-
None
-
Confirmed
-
Windows
-
422538
Players can use the @s selector in commands like /tell, even when cheats are disabled. This allows them to get information they should not have access to.
Information marked with 
is potentially sensitive, the others are not really valuable information, but still should not be accessible.
| Parameter(s) | Example | Leaked Information |
|---|---|---|
| x y z r rm dx dy dz | /tell @s[x=0,z=0,r=10] hi | Their own location, even if the server owner wishes this information to be private. |
| scores | /tell @s[scores=\{something=15..}] hi | Internal scoreboard objective names and personal scores. |
| tag | /tell @s[tag=blah] hi | Internal tag names and personal tags. Note that the tag parameter is not suggested when cheats are disabled, but if it's typed manually, its potential values are still suggested and it can still be evaluated. |
| l lm | /tell @s[lm=30] hi | Amount of levels. |
| m | /tell @s[m=0] hi | Internal gamemode IDs. |
| ry rym rx rxm | /tell @s[rxm=0,rx=0] hi | Facing direction. |
Expected Behavior
Same as attempting to evaluate any other selector without cheats: Insufficient permissions error
- relates to
-
- Resolved