IDOR Vulnerability Allow the owner of one Organization can edit, delete and resetpassword users that belong to other organization in alfio-event/alf.io

Valid

Reported on

Mar 22nd 2023


1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.

2 we login as user1 and reset itsself password.

3 using the burpsuit to hack hijack the post.

4 The post and can be like:

PUT /admin/api/users/2/reset-password?baseUrl=http%3A%2F%2F192.168.19.138%3A8080 HTTP/1.1

5 we replace content as 2 as 3 and then send the request

6 we can find that the pssword of user2 is reset. 7 delete and edit are the same process.

Impact

The owner of one Organization can dit, delete and resetpassword anyothers .

Occurrences

reset password : we do not check the target user and current user whether belong to the same organization

edit: we do not check the target user and current user whether belong to the same organization

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 2 months ago
lujiefsi modified the report
2 months ago
We have contacted a member of the alfio-event/alf.io team and are waiting to hear back 2 months ago
alfio-event/alf.io maintainer has acknowledged this report 2 months ago
Sylvain Jermini validated this vulnerability 2 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit c9a16a a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Sylvain Jermini published this vulnerability a month ago
UserManager.java#L293 has been validated
UserManager.java#L241 has been validated
to join this conversation