Authorization Bypass Through User-Controlled Key in kcal-app/kcal


Reported on

Sep 28th 2021


There isn't any proper authorization for delete goal action that lead to IDOR vulnerability.


A non-admin user can delete any other users(even admins) goals.

We have contacted a member of the kcal-app/kcal team and are waiting to hear back 2 years ago
Christopher Charbonneau Wells validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells marked this as fixed with commit f17fb7 2 years ago
Christopher Charbonneau Wells has been awarded the fix bounty
This vulnerability will not receive a CVE
auth.php#L29 has been validated
to join this conversation