IDOR Vulnerability Allow Low-Level User change role Everyone Includes Admin in answerdev/answer

Valid

Reported on

Aug 28th 2023

Description

By manipulating the user_id in API PUT /answer/admin/api/user/role, users with low privilege can change role any users

Proof of Concept

Step 1: Login as user1 with user privilege

Step2: Call API PUT /answer/admin/api/user/role with user privilege , change role everyone includes Admin

Link POC =https://drive.google.com/file/d/1xbnCTv5ED5h_SedzpAbF5IUPVy-QkUhh

Impact

Users with low privilege can change role includes Admin

Occurrences

demo.go L7

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago

A answerdev/answer maintainer validated this vulnerability 3 months ago

m4noo has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

m4noo

commented 3 months ago

Researcher

@maintainer Hi, can you please specify a CVE for this vulnerability. It's necessary for my work

A answerdev/answer maintainer

commented 3 months ago

Maintainer

@m4noo We are in the process of fixing this bug, and for security reasons we will assign CVE in the next release. Thank you very much for your feedback.

A answerdev/answer maintainer marked this as fixed in v1.1.3 with commit e75142 3 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability 3 months ago

demo.go#L7 has been validated

to join this conversation

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

m4noo modified the report

3 months ago

We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago

A answerdev/answer maintainer validated this vulnerability 3 months ago

m4noo has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

m4noo

commented 3 months ago

Researcher

@maintainer Hi, can you please specify a CVE for this vulnerability. It's necessary for my work

A answerdev/answer maintainer

commented 3 months ago

Maintainer

@m4noo We are in the process of fixing this bug, and for security reasons we will assign CVE in the next release. Thank you very much for your feedback.

A answerdev/answer maintainer marked this as fixed in v1.1.3 with commit e75142 3 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A answerdev/answer maintainer published this vulnerability 3 months ago

demo.go#L7 has been validated

to join this conversation