U.S. Dept Of Defense: IDOR leads to view other user Biographical details (Possible PII LEAK)

The researcher discovered an Insecure Direct Object Reference IDOR vulnerability in the www.██████████ domain. The vulnerability allowed a user to access other users' biographical details, leading to a potential Personally Identifiable Information PII leak. The vulnerable endpoints were located i...

Archive any private memos + Delete any Shortcut + Edit any Shortcut from other users

Description User can archive any private memos, Delete any Shortcut and Edit any Shortcut from other users via api PATCH /api/memo/8 HTTP/1.1 "id":8,"rowStatus":"ARCHIVED" PATCH /api/shortcut/2 HTTP/1.1 "id":2,"title":"shortahihix","payload":"" DELETE /api/shortcut/2 Proof of Concept Login to...

Trint Ltd: IDOR to update folder name of other user

Summary There is an IDOR to update folder name of other user Steps To Reproduce: - user A login to the application and see the folder name F494331 - user B login to the application and call the API with the projectId of user A POST / HTTP/1.1 Host: graphql2.trint.com User-Agent: Mozilla/5.0 Windo...

user receives email notification even though restriction have been applied to the page

Steps to reproduce : Login to Confluence Create a page Insert a team calendar into the page Ask a user A to watch the page Make changes to team calendar User A is receiving email notification for the calendar as expected Creator of the page restrict the page with the calendar from being viewed by...