Authorization Bypass Through User-Controlled Key in tsolucio/corebos

Valid

Reported on

Oct 18th 2021


Description

Just like last report of mine there is another improper privilege management that test user can see other users special workflow contents like Tasks

just go to this link that belong to admin from another users account. http://demo.corebos.com/index.php?module=com_vtiger_workflow&action=editworkflow&workflow_id=7&return_url=index.php%3Fmodule%3Dcom_vtiger_workflow%26action%3Dworkflowlist

We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
amammad modified the report
a year ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a year ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a year ago
Joe Bordes validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 971ad6 a year ago
Joe Bordes has been awarded the fix bounty
to join this conversation