Improper Authorization in imran300/inventory

Valid

Reported on

Sep 4th 2021


✍️ Description

A designer user can deactivate any other users IDOR.

🕵️‍♂️ Proof of Concept

go to this url when logging in as a Designer.

http://localhost:8000/inventory/index.php/Users/deactiveStatus/10

and then you can see that a user with id 10 will be deactivated.

💥 Impact

This vulnerability is capable of deactivate any user.

Occurences

We have contacted a member of the imran300/inventory team and are waiting to hear back 19 days ago
amammad
19 days ago

Researcher


I didn't change the default Group permissions and also check them to didn't have the desired permissions.

Mian Muhammad Imran Shah validated this vulnerability 19 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mian Muhammad Imran Shah confirmed that a fix has been merged on 9809cc 19 days ago
Mian Muhammad Imran Shah has been awarded the fix bounty