Improper Authorization in imran300/inventory


Reported on

Sep 4th 2021

✍️ Description

A General manager user can edit/add other group PERMISSIONS LIST with IDOR.

🕵️‍♂️ Proof of Concept

go to this url when logging in as a General manager.


and then you can see that Permissions can be bypassed.

💥 Impact

This vulnerability is capable of change the group permissions with IDOR.


We have contacted a member of the imran300/inventory team and are waiting to hear back 19 days ago
19 days ago


I didn't change the default Group permissions and also check them to didn't have the desired permissions.

Mian Muhammad Imran Shah validated this vulnerability 19 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mian Muhammad Imran Shah confirmed that a fix has been merged on 9809cc 19 days ago
Mian Muhammad Imran Shah has been awarded the fix bounty