IDOR 漏洞使得攻击者可以在一个组织内任意添加、删除、修改工作空间 in cloudexplorer-dev/cloudexplorer-lite
May 13th 2023
Proof of Concept
1 系统中存在两个组织，team1和team2 2 用户user1是 team1 的管理员， 不是team2的管理员 3 用户1在team1中创建工作空间，名为workspace1. 4 用户1使用burpsuit拦截请求，在请求中将team1的ID换成team2的ID 5 查看请求，结果显示成功，用户1可以在team2中任意创建工作空间。
搭建系统的命令是： /bin/bash -c "$(curl -fsSL https://resource.fit2cloud.com/cloudexplorer-lite/installer/releases/latest/quick_start.sh)"
Thank you for your feedback. We have confirmed that this vulnerability will be fixed in the next version
Can you give us a CVE number first and we will issue credits to you.
I do not have the permission to assgin a cve.
@admin from huner, could you pelase help Maintainer to obtain a CVE number?
But You can mark this report as vaild first.
@Maintainer But You can mark this report as vaild first.
@Maintainer even report is marked as vaild, but it is still not public .
Okay, thank you for your suggestion!
We have applied for the CVE number.
A CVE will be applied during the fix & publish stage.
Thank you. We have fixed this vulnerability in v1.1.0 and will release it on May 23rd. After release, we will mark it as fixed