IDOR Vulnerability Allow the owner of one Organization can create, edit, delete apikeys that belong to other organization in alfio-event/alf.io
Mar 22nd 2023
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.
2 we login as user1 and create a new API keys
3 using the burpsuit to hack hijack the post.
4 The post and can be like:
5 we replace content as 1 as 2 and then send the request
6 we can find that the API keys was created in org2
7 delete, disable, QR code and edit can be the same process
The owner of one Organization can create, edit, delete and disable API keys belong to other Organization .
Hi, @lujiefsi , thank you for opening this finding, I've submitted a patch that should fix all the 4 opened issues: https://github.com/alfio-event/alf.io/pull/1206 , it will be added in the M4 update and also on the master branch.
greet, could you please mark those issuses as valid and assign CVE
@lujiefsi I've marked the issues as valid, when we are able to do a release, I'll mark the issues fixed and thus we are able to assign a CVE. Thank you.