Authorization Bypass Through User-Controlled Key in kcal-app/kcal


Reported on

Sep 28th 2021


There isn't any proper authorization for delete goal action that lead to IDOR vulnerability.


A non-admin user can delete any other users(even admins) goals.

We have contacted a member of the kcal-app/kcal team and are waiting to hear back a year ago
Christopher Charbonneau Wells validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells confirmed that a fix has been merged on f17fb7 a year ago
Christopher Charbonneau Wells has been awarded the fix bounty
auth.php#L29 has been validated
to join this conversation