Improper Authorization in dolibarr/dolibarr

Valid

Reported on

Nov 19th 2021


Description

I found an IDOR in Dolibarr

In preview2.dolibarr.org login with demo:demo then open Agenda section

first, I Change all permissions of demo user in Reception to None

second, I can't see the Receptions List in Products at all

But I am able to see following Reception https://preview2.dolibarr.org/reception/card.php?id=1

We are processing your report and will contact the dolibarr team within 24 hours. 15 days ago
Laurent Destailleur validated this vulnerability 14 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on 63cd06 14 days ago
Laurent Destailleur has been awarded the fix bounty
card.php#L1-L2883 has been validated
card.php#L1-L329 has been validated
card.php#L1-L2727 has been validated
card.php#L1-L346 has been validated
bom_card.php#L1-L718 has been validated
photos.php#L1-L267 has been validated
main.inc.php#L1-L3280 has been validated