Authorization Bypass Through User-Controlled Key in tsolucio/corebos

Valid

Reported on

Oct 18th 2021


Description

Just like last report of mine there is another improper privilege management that test user can see other users special workflow contents like Tasks

just go to this link that belong to admin from another users account. http://demo.corebos.com/index.php?module=com_vtiger_workflow&action=editworkflow&workflow_id=7&return_url=index.php%3Fmodule%3Dcom_vtiger_workflow%26action%3Dworkflowlist

We have contacted a member of the tsolucio/corebos team and are waiting to hear back a month ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a month ago
amammad modified their report
a month ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a month ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a month ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a month ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a month ago
Joe Bordes validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 971ad6 a month ago
Joe Bordes has been awarded the fix bounty