Glassdoor: wasResumeUsed ███ on /api-internal/api.htm endpoint leaking other user's resume usage status

The API endpoint that checks if a resume was used for previous job applications was found to be vulnerable. The endpoint accepted a parameter called "resumeMetadataId" which was not properly validated, allowing an attacker to check the usage status of resumes that did not belong to the user. This...

PHPYun越权修改简历状态

简要描述： PHPYUN 未授权修改企业发布招聘 详细说明： 在wap/member/com.class.php 中的 function jobsetaction if$GET'status' $this-obj-updateonce'companyjob',array'status'=intval$GET'status',array'id'=intval$GET'id';//未授权修改企业发布招聘状态 $this-memberlog"修改职位招聘状态"; $this-waplayermsg"设置成功！"; 利用url如下...