| عنوان | Shy2593666979 AgentChat <= v2.3.0 Authorization Bypass |
|---|
| الوصف | An Insecure Direct Object Reference (IDOR) vulnerability exists in AgentChat ≤ v2.3.0 at the /api/v1/user/update endpoint, where the user_id parameter is accepted directly from user input without proper authorization checks. As a result, unauthenticated attackers can modify arbitrary users' information by manipulating the user_id parameter, leading to unauthorized modification of other users' profiles including avatars and descriptions. Mitigations include implementing proper authorization checks to ensure users can only update their own information, retrieving the user ID from the authenticated session/token rather than accepting it as a parameter, applying role-based access control (RBAC) to restrict update operations, and logging all user information modification attempts for security auditing. |
|---|
| المصدر | ⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/agent-chat/vulnerability-2 |
|---|
| المستخدم | Anonymous User |
|---|
| ارسال | 22/02/2026 05:05 PM (2 أشهر منذ) |
|---|
| الاعتدال | 07/03/2026 09:35 AM (13 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 349640 [Shy2593666979 AgentChat حتى 2.3.0 User Endpoint user.py get_user_info/update_user_info user_id تجاوز الصلاحيات] |
|---|
| النقاط | 0 |
|---|