Improper Access Control (IDOR) in neorazorx/facturascripts

Valid

Reported on

Apr 28th 2022


Description

Improper Access Control (IDOR) could leak admin information.

Proof of Concept

1.Login as admin, edit a role to give permission show a user information -> save 1

2.Login as an user with that role -> go to url http://my.facturascripts.site/EditUser?code=admin&action=export&option=PDF -> Can see all the information of admin (and other users) included email and IP address 2

Impact

-First, Admin's information can not be seen by any other user, it can lead to dangerous action by attackers.

-Second, impact of the leak of IP addresses (of admin or any other user) is very serious, attackers can use it to seize very valuable information, including your location and online identity. Using this information as a starting point, they could potentially hack your device, steal your identity, and more

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. 24 days ago
dungtuanha modified the report
24 days ago
dungtuanha modified the report
24 days ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back 23 days ago
Carlos Garcia validated this vulnerability 22 days ago

This problem has been fixed in two commits

dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on 92afdf 22 days ago
Carlos Garcia has been awarded the fix bounty
to join this conversation