Improper Authorization in dolibarr/dolibarr

Valid

Reported on

Nov 19th 2021


Description

I found an IDOR in Dolibarr

In preview2.dolibarr.org login with demo:demo then open Agenda section

first, I Change all permissions of demo user in Reception to None

second, I can't see the Receptions List in Products at all

But I am able to see following Reception https://preview2.dolibarr.org/reception/card.php?id=1

We are processing your report and will contact the dolibarr team within 24 hours. a year ago
Laurent Destailleur validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur marked this as fixed in develop with commit 63cd06 a year ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability will not receive a CVE
card.php#L1-L2883 has been validated
card.php#L1-L329 has been validated
card.php#L1-L2727 has been validated
card.php#L1-L346 has been validated
bom_card.php#L1-L718 has been validated
photos.php#L1-L267 has been validated
main.inc.php#L1-L3280 has been validated
to join this conversation