IDOR Vulnerability in Prompt Update Function
An IDOR vulnerability in version 1.3.2 allows unauthorized users to update other users' prompts by manipulating the 'id' parameter. This issue was patched in version 1.4.3.
Available publicly on Sep 29 2024 | Available with Premium on Aug 04 2024
Threat Overview
The vulnerability exists in the 'Evaluations' function within the datasets section, where the 'id' parameter is user-controlled. This allows an attacker to update prompts belonging to other users by changing the 'id' value in the request. The lack of proper access control checks on the 'id' parameter leads to an Insecure Direct Object Reference (IDOR) vulnerability.
Attack Scenario
An attacker logs in as User A and intercepts the request to update a prompt. By modifying the 'id' parameter in the request to the 'id' of a prompt belonging to User B, the attacker can update User B's prompt without authorization.
Who is affected
Users of version 1.3.2 who utilize the 'Evaluations' function in the datasets section are affected. This includes any user who has prompts that could be updated by unauthorized users.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.