Improper Privilege Management in gskinner/regexr


Reported on

Jun 15th 2021

✍️ Description

I managed to find a Critical IDOR in the . Any user is able to change the Visibility Status of any pattern set

📚 Proof of Concept

1: Go to
2: Click on "New" in the Top Left Corner
3: Select Pattern Settings and Fill out "pattern Name ", "Author Name" , "Description"
4: Now click save button
5: Now User will be able to change the pattern Visibility to Private or Public
6:Click on the Private button and Intercept the Request
7: Replace the patternId= with some other ID (usually these ID can be obtained once a user shares his Pattern)
8:The pattern with Replaced Id gets Changed

The API endpoint is vulnerable (api.php)

Video POC : GoogleDrive-Link

⚙️ Impact

This Vulnerability is capable of change other users visibility privilage


gskinner/regexr maintainer validated this vulnerability 2 years ago
Tibin Sunny has been awarded the disclosure bounty
The fix bounty is now up for grabs
gskinner/regexr maintainer marked this as fixed with commit 3b50b0 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation