Description

Access Controls are used in an application to restrict a user to access only intended functions. If the user is able to access any feature/function which is not allowed by the application and user gets successful in this attempt, then it will be considered as broken access control vulnerability.
In this vulnerability, the normal user (i.e. not admin) is able to steal sensitive information of other users like laraval_session auth cookie, cart orders, order payment details, user email, user address and much more.

Proof of Concept

1 Create an account as a normal user and visit

https://demo.microweber.org/demo/api/users/export_my_data?user_id=1

NOTE: In above url, keep replacing the user_id to other numbers like 2, 3 and so on… to get other users information.

Impact

Attacker can steal sensitive information of other users like laraval_session auth cookie, cart orders, order payment details, user email, user address and much more.