IDORs with unpredictable IDs are valid vulnerabilities in metersphere/metersphere


Reported on

Mar 27th 2023

1 create two workspace: workspace1 and workspace2, and their admin is admin1 and admin2

2 login as user1 and create project1.

4 Using burpsuit to hijack the reqeust, repalce workspace1's workspaceid as workspace2's workspaceid

5 we can find that project1 has a new proejct, even admin2 is not the admin of workspace2.

IDORs with unpredictable IDs are also valid vulnerabilities, see


we only use " add proejct" for example. You can do anything you want with other workspace.

We are processing your report and will contact the metersphere team within 24 hours. 6 months ago
We have contacted a member of the metersphere team and are waiting to hear back 6 months ago
metersphere/metersphere maintainer has marked this vulnerability as not applicable 6 months ago

Thank you for your feedback. We have no problems with the latest versions of v1 and v2. The vulnerability refers to the master branch. This branch has not been maintained for a long time, and this branch has been deleted.

The disclosure bounty has been dropped
The fix bounty has been dropped
The researcher's credibility has decreased: -5
4 months ago


@admin This issuse was comfirmed later and was assigned CVE-2023-32310. metersphere has not publish this CVE and can mark this issue as private again.

4 months ago


@admin sorry abount that the CVE number is still not assign. maintainer tell me that they will fix it in next version. admin please remark it as private first.

Ben Harvie
4 months ago


On it:)

4 months ago


@admin this vulnerability has been fix by commit after discussing with the maintainer , they won't assign CVE for some reason. They have pushlish and fix the vulnerability in their release 1.20.23 LTS . So we can mark it as valild and publish it now.

besides, the project should be . I don't know why the project is changed as pimcore/customer-data-framework

Ben Harvie validated this vulnerability 4 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie marked this as fixed in 1.20.23 LTS with commit 6337d9 4 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 4 months ago
to join this conversation