Improper Authorization in bytebase/bytebase
Feb 2nd 2022
Hello bytebase team, there is an improper privilege management in bytebase source code. This allows a user to view another user inbox.
Proof of Concept
- Install bytebase, create new user
- Login as user1, go to this link
user-idto id of user2.
- See that user1 can view user2 inbox.
This vulnerability is capable of allowing a user to view another user inbox.
A bytebase/bytebase maintainer validated this vulnerability a year ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a third and final fix follow up to the bytebase team. This report is now considered stale. a year ago
A bytebase/bytebase maintainer marked this as fixed in 0.13.0 with commit 4a92f4 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation