Authorization Bypass Through User-Controlled Key in tsolucio/corebos

Valid

Reported on

Oct 18th 2021

Description

Just like last report of mine there is another improper privilege management that test user can see other users special workflow contents like Tasks

just go to this link that belong to admin from another users account. http://demo.corebos.com/index.php?module=com_vtiger_workflow&action=editworkflow&workflow_id=7&return_url=index.php%3Fmodule%3Dcom_vtiger_workflow%26action%3Dworkflowlist

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago

amammad modified the report

2 years ago

We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 2 years ago

Joe Bordes validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Joe Bordes marked this as fixed with commit 971ad6 2 years ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation