Improper Access Control in francoisjacquet/rosariosis

Valid

Reported on

May 2nd 2022

Description

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Proof of Concept

Unauthorized actors can access critical pages directly.

Impact

Unauthorized actors can get critical information about the application.

Occurrences

diagnostic.php L1-L257

InstallDatabase.php L1-L126

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 25 days ago

intrapus modified the report

24 days ago

François Jacquet François

commented 24 days ago

Maintainer

Hello @intrapus

Thank you for your report. The fix will concern diagnostic.php file only. For the InstallDatabase.php, there is no information given except that the database is installed which is obvious.

François Jacquet validated this vulnerability 24 days ago

intrapus has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

François Jacquet confirmed that a fix has been merged on 97927f 24 days ago

François Jacquet has been awarded the fix bounty

diagnostic.php#L1-L257 has been validated

InstallDatabase.php#L1-L126 has been validated

to join this conversation