IDOR Vulnerability Allowing View/Delete of External Users
An IDOR vulnerability in version 1.3.2 allows authenticated users to view or delete external users by manipulating the user ID in the request. This issue was patched in version 1.3.4.
Available publicly on Sep 29 2024 | Available with Premium on Aug 24 2024
Threat Overview
The vulnerability arises from the lack of proper access control checks on the user ID parameter in the API endpoints for viewing and deleting external users. This allows an authenticated user to manipulate the ID parameter to access or delete any external user record, leading to unauthorized data access and potential data loss.
Attack Scenario
An attacker logs into the lunary dashboard and navigates to the task users section. By intercepting the request using a tool like Burp Suite, the attacker modifies the ID parameter in the request to target a different external user. This allows the attacker to view or delete any external user record without proper authorization.
Who is affected
All users of the lunary application version 1.3.2 who have access to the task users section are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.