| Titre | CodeGenieApp @codegenie/serverless-express <=4.17.1 Broken Object Level Authorization |
|---|
| Description | The TodoList management system contains a critical Broken Object Level Authorization (BOLA) vulnerability (also known as IDOR) due to a missing ownership model in the database schema. The TodoList DynamoDB table lacks a userId field, preventing any ownership association between lists and their creators. Consequently, if an attacker obtains a valid listId (e.g., via leaked URLs, Referer headers, or chained with the previously reported Property Injection vulnerability), they can use their own authenticated session to view, modify, or permanently delete any other user's todo lists, resulting in a complete compromise of data confidentiality, integrity, and availability. |
|---|
| La source | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/20 |
|---|
| Utilisateur | Ana10gy (UID 93358) |
|---|
| Soumission | 02/03/2026 04:00 (il y a 2 mois) |
|---|
| Modérer | 14/03/2026 13:57 (12 days later) |
|---|
| Statut | Dupliqué |
|---|
| Entrée VulDB | 351078 [CodeGenieApp serverless-express jusqu’à 4.17.1 API Endpoint TodoList.ts userId élévation de privilèges] |
|---|
| Points | 0 |
|---|