Improper Access Control (IDOR) in francoisjacquet/rosariosis

Valid

Reported on

Apr 29th 2022

Description

Any user (even user without account) can view any student photos through student's id.

Proof of Concept

Access this URL https://www.rosariosis.org/demonstration/assets/StudentPhotos/2021/{student_id}.jpg -> Attacker can see a student personal photo even without school's account (student's id easy to predict).

Impact

This vulnerability is capable of seeing personal photo without permission or authorization.

Occurrences

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago
dungtuanha
a year ago

Researcher

@maintainer what about this? Please check this report.

François Jacquet validated this vulnerability a year ago
dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 9.0 with commit f8b9f8 a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
README#L3 has been validated
François
a year ago

Maintainer

Thanks @dungtuanha The fix applies to User photos too.

to join this conversation