Improper Authorization in imran300/inventory

Valid

Reported on

Sep 4th 2021


✍️ Description

A General manager user can edit/add other group PERMISSIONS LIST with IDOR.

🕵️‍♂️ Proof of Concept

go to this url when logging in as a General manager.

http://localhost:8000/inventory/index.php/generals/add_group

and then you can see that Permissions can be bypassed.

💥 Impact

This vulnerability is capable of change the group permissions with IDOR.

Occurences

We have contacted a member of the imran300/inventory team and are waiting to hear back 19 days ago
amammad
19 days ago

Researcher


I didn't change the default Group permissions and also check them to didn't have the desired permissions.

Mian Muhammad Imran Shah validated this vulnerability 19 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mian Muhammad Imran Shah confirmed that a fix has been merged on 9809cc 19 days ago
Mian Muhammad Imran Shah has been awarded the fix bounty