Veris: Critical IDOR - Get Rules of any organization remotely

2016-03-03T11:08:18
ID H1:120314
Type hackerone
Reporter itly
Modified 2016-06-12T16:04:23

Description

Hello Team,

I have found a critical IDOR using which an attacker can get rules of any organization remotely by just changing the venue id in GET Request.

Proof of Concept: Please find the attached screenshots.

Best Regards,

Hely H. Shah