Veris: Critical IDOR - Get Rules of any organization remotely

ID H1:120314
Type hackerone
Reporter itly
Modified 2016-06-12T16:04:23


Hello Team,

I have found a critical IDOR using which an attacker can get rules of any organization remotely by just changing the venue id in GET Request.

Proof of Concept: Please find the attached screenshots.

Best Regards,

Hely H. Shah