CVE-2023-28322: more POST-after-PUT confusion