HackerOne: An attacker can archive and unarchive any structured scope object on HackerOne

Summary: Hello, I have discovered an IDOR vulnerability that allows the scope of any program to be archived. Scopes are used to give information about the valid scopes of a program. For example HackerOne has the following scopes: https://hackerone.com https://api.hackerone.com ... Steps To...

HackerOne: HackerOne Pentesters can access any structured scope object through GraphQL node interface

A missing authorization check in the StructuredScope protector class app/protectors/protectedstructuredscope.rb:42 enables any HackerOne Pentester to access structured scope objects of programs they aren't invited to or aren't running a penetration test through HackerOne. ruby class...