Soumettre #758664: Psi Probe <=5.3.0 Broken Access Controlinformation

TitrePsi Probe <=5.3.0 Broken Access Control
DescriptionPsi Probe versions up to and including 5.3.0 allow any authenticated user with the "probeuser" role to remove arbitrary session attributes from any other user's session through the /app/rmsattr.htm endpoint. The application fails to validate session ownership before processing attribute removal requests, enabling low-privileged attackers to delete security-critical session attributes (such as authorization flags, MFA completion status, or role identifiers) from other users' sessions, potentially bypassing authorization controls and escalating privileges.
La source⚠️ https://github.com/AnalogyC0de/public_exp/issues/14
Utilisateur
 Ana10gy (UID 93358)
Soumission15/02/2026 04:37 (il y a 2 mois)
Modérer26/02/2026 16:13 (11 days later)
StatutAccepté
Entrée VulDB347992 [psi-probe PSI Probe jusqu’à 5.3.0 Session Attribute RemoveSessAttributeController.java élévation de privilèges]
Points20

PrécédentAperçuSuivant

Interested in the pricing of exploits?

See the underground prices here!