Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrAmammadD44DEF81-2834-4031-9037-E923975C3852
HistorySep 08, 2021 - 11:41 p.m.

in weseek/growi

2021-09-0823:41:11
amammad
www.huntr.dev
10
weseek/growi
unauthenticated users
comments.remove
vulnerability
integrity
bugbounty

EPSS

0.001

Percentile

39.3%

JSON

✍️ Description

In following endpoint don’t check the authorization of users and any user can delete other users comments /_api/comments.remove

the body of request is like this :

{
"comment_id"  :  "61393bb36970d0000c62b3cf"

,

"_csrf"  : <a_new_one>

}

any user receive all comment_id and can easily replace other users comment_id with own comment_id and delete other user’s comments.

💥 Impact

This vulnerability is capable of make high impact on integrity of system.

Related

prion 1
nvd 1
cve 1
osv 1
veracode 1
cvelist 1
prion
prion
Authorization
2022-01-12 11:15:00
nvd
nvd
CVE-2021-3852
2022-01-12 11:15:08
cve
cve
CVE-2021-3852
2022-01-12 11:15:08
osv
osv
CVE-2021-3852
2022-01-12 11:15:08
veracode
veracode
Privilege Escalation
2022-01-13 17:24:06
cvelist
cvelist
CVE-2021-3852 Authorization Bypass Through User-Controlled Key in weseek/growi
2022-01-12 10:15:11

EPSS

0.001

Percentile

39.3%

JSON
Related for D44DEF81-2834-4031-9037-E923975C3852
prion1nvd1cve1osv1veracode1cvelist1