IDOR Vulnerability Allow the owner of one Organization can create, edit, delete apikeys that belong to other organization in alfio-event/alf.io

Valid

Reported on

Mar 22nd 2023

1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.

2 we login as user1 and create a new API keys

3 using the burpsuit to hack hijack the post.

4 The post and can be like:

{"type":"API_KEY","target":"API_KEY","organizationId":1,"role":"API_CONSUMER","description":"test"}

5 we replace content as 1 as 2 and then send the request

6 we can find that the API keys was created in org2

7 delete, disable, QR code and edit can be the same process

Impact

The owner of one Organization can create, edit, delete and disable API keys belong to other Organization .

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 2 months ago

lujiefsi modified the report

2 months ago

lujiefsi modified the report

2 months ago

We have contacted a member of the alfio-event/alf.io team and are waiting to hear back 2 months ago

A alfio-event/alf.io maintainer has acknowledged this report 2 months ago

Sylvain Jermini

commented 2 months ago

Maintainer

Hi, @lujiefsi , thank you for opening this finding, I've submitted a patch that should fix all the 4 opened issues: https://github.com/alfio-event/alf.io/pull/1206 , it will be added in the M4 update and also on the master branch.

lujiefsi

commented 2 months ago

Researcher

greet, could you please mark those issuses as valid and assign CVE

Sylvain Jermini validated this vulnerability 2 months ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Sylvain Jermini

commented 2 months ago

Maintainer

@lujiefsi I've marked the issues as valid, when we are able to do a release, I'll mark the issues fixed and thus we are able to assign a CVE. Thank you.

Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit c9a16a a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Sylvain Jermini published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 2 months ago

lujiefsi modified the report

2 months ago

lujiefsi modified the report

2 months ago

We have contacted a member of the alfio-event/alf.io team and are waiting to hear back 2 months ago

A alfio-event/alf.io maintainer has acknowledged this report 2 months ago

Sylvain Jermini

commented 2 months ago

Maintainer

lujiefsi

commented 2 months ago

Researcher

greet, could you please mark those issuses as valid and assign CVE

Sylvain Jermini validated this vulnerability 2 months ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Sylvain Jermini

commented 2 months ago

Maintainer

@lujiefsi I've marked the issues as valid, when we are able to do a release, I'll mark the issues fixed and thus we are able to assign a CVE. Thank you.

Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit c9a16a a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Sylvain Jermini published this vulnerability a month ago

to join this conversation