IDOR Vulnerability Allow the owner of one Organization can disable users that belong to other oggainzation in alfio-event/alf.io
Mar 22nd 2023
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.
2 we login as user1 and click disable , then we use burpsuit to get the post.
3 The post can be like : POST /admin/api/users/2/enable/false HTTP/1.1
5 we replace user id 2 to 3.
6 check the status of user2 and we can find that it was disabled.
The user can disable any users
We do not check whether the current user and userid belong to same Organization
We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 2 months ago
Sylvain Jermini validated this vulnerability 2 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit c9a16a a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation