HackerOne: Any user could upload attachments to pentest scoping form they don't have access to
The root cause of this issue was insufficient access controls implemented in the attachment upload functionality for pentest scoping forms. The endpoint responsible for handling attachment uploads did not properly validate the user's access rights to the specific scoping form, allowing any...