Inflection: Privilege Escalation: Read-Only to Admin

2017-10-14T07:34:10
ID H1:277138
Type hackerone
Reporter foobar7
Modified 2019-03-15T17:10:52

Description

While the interface hides the users page from read-only users, they can still perform PUT requests to the API to change their privileges where they only have read-only permissions.