Open-Xchange: Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation)

Hi Team, Description : Read only user of calendar folder shouldn't be able access any private appointments. I have found a move calendar folder request which is working for read only user. Once Attacker moves the appointment to his folder , then he can Access private appointments. Vulnerable HTTP...

Open-Xchange: Unauthorized access to attachments details of Private Calendar appointments (Access control issue)

Hi Team, Description : In calendar folder there is a permission settings where user can be assigned as read only user of it's own objects . User with this permission shouldn't be able to view private appointments and it's attachments . There is request of getting attachment details from server...

Shopify: Staff member can delete Private Apps

Hi Team, Bug description : I noticed that Full access staff member doesn't have access to private Apps Even he has access to Apps. But a Staff member can actually Delete Private Apps through the normal App link by changing the ID. Steps to reproduce : 1. Create A shop and install any app. Also...

X (Formerly Twitter): Urgent : Unauthorised Access to Media content of all Direct messages and protected tweets(Indirect object reference)

Hi Team, You can tweet from your ad account while creating a campaign.When you add a media content from your computer and upload it there is a Json request which gives you the link of your mediaPhotos to preview before Tweeting.This link is Vulnerable to IDOR Attack and it leads to disclose all t...