Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrTuannq229986F06E28-ED8D-4F96-B4AD-E47F2FE94BA6
HistoryAug 05, 2023 - 5:02 a.m.

IDOR in Users Edit screen

2023-08-0505:02:28
tuannq2299
www.huntr.dev
6
idor
user privilege
information disclosure

0.0005 Low

EPSS

Percentile

18.2%

JSON

Description

By manipulating the User ID in the URL, users with low privilege can view the information of any users

Proof of Concept

Step 1: Login as user1 with author privilege, see that he can only access the edit screen of himself. Click on edit button.

Step 2: See the userID in the URL, modify it to the userID of Admin

Step 3: Now user1 can view some extra information of admin such as β€œUser Settings”, β€œAPI Keys”

Related

prion 1
osv 1
cvelist 1
cve 1
nvd 1
prion
prion
Authorization
2023-08-28 01:15:00
osv
osv
CVE-2023-4560
2023-08-28 01:15:10
cvelist
cvelist
CVE-2023-4560 Improper Authorization of Index Containing Sensitive Information in omeka/omeka-s
2023-08-28 00:00:20
cve
cve
CVE-2023-4560
2023-08-28 01:15:10
nvd
nvd
CVE-2023-4560
2023-08-28 01:15:10

0.0005 Low

EPSS

Percentile

18.2%

JSON
Related for 86F06E28-ED8D-4F96-B4AD-E47F2FE94BA6
prion1osv1cvelist1cve1nvd1