Improper Access Control (IDOR) in neorazorx/facturascripts

Valid

Reported on

Apr 28th 2022

Description

Improper Access Control (IDOR) could leak admin information.

Proof of Concept

1.Login as admin, edit a role to give permission show a user information -> save 1

2.Login as an user with that role -> go to url http://my.facturascripts.site/EditUser?code=admin&action=export&option=PDF -> Can see all the information of admin (and other users) included email and IP address 2

Impact

-First, Admin's information can not be seen by any other user, it can lead to dangerous action by attackers.

-Second, impact of the leak of IP addresses (of admin or any other user) is very serious, attackers can use it to seize very valuable information, including your location and online identity. Using this information as a starting point, they could potentially hack your device, steal your identity, and more

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago
dungtuanha modified the report
a year ago
dungtuanha modified the report
a year ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago
Carlos Garcia validated this vulnerability a year ago

This problem has been fixed in two commits

dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia marked this as fixed in 2022.06 with commit 92afdf a year ago
Carlos Garcia has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation