IDOR Vulnerability Allow the owner of one Organization can update anyother organization in alfio-event/alf.io

Valid

Reported on

Mar 21st 2023

1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.

2 we login as user1 and update the org1, then we use burpsuit to get the post.

3 The first post will check user and we forward it.

4 The second post will edit content of organization and can be like: "id":1,"name":"org1","email":"org1@ict.ac.cn","description":"org1org1org1org1","externalId":null,"slug":null.

5 we replace content as "id":2,"name":"org2","email":"attack@ict.ac.cn","description":"attackattack","externalId":null,"slug":null.

6 check the email of org2 and we found its email is change as attack@ict.ac.cn.

Impact

An attacker change any organization

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 2 months ago
lujiefsi modified the report
2 months ago
lujiefsi
2 months ago

Researcher

poc can be found here : https://1drv.ms/v/s!AksJ421iyCG-mTO43qjx-3owI62W?e=rYIjhC

lujiefsi modified the report
2 months ago
We have contacted a member of the alfio-event/alf.io team and are waiting to hear back 2 months ago
alfio-event/alf.io maintainer has acknowledged this report 2 months ago
Sylvain Jermini validated this vulnerability 2 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit c9a16a a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Sylvain Jermini published this vulnerability a month ago
to join this conversation