Summary:
Hello Hackerone team, I found a vulnerability on setting duplicate report as program owner. I’m able to duplicate a report to a report that doesn’t have relation with the program. For example we can duplicate to a public report in hacktivity.
original_report_id
parameter to 2279010 (A report to Portswigger #2279010)In addition after some analysis, I found that we also could mark as duplicate to a private report based on who’s marking as duplicate. For example for me I would be able to duplicate to a report with id #2441985 which was a private report
{F3284759}