| शीर्षक | Dolibarr Dolibarr ERP/CRM <=23.0.1 Incorrect Authorization |
|---|
| विवरण | Dolibarr ERP/CRM 23.0.0 contains an improper authorization vulnerability in the Leave Request REST API. An authenticated low-privileged user with permission to read only their own and their subordinates' leave requests can access leave requests belonging to other users via the /api/index.php/holidays/{id} endpoint. The Web UI correctly enforces hierarchy-based authorization checks, but the REST API endpoint bypasses these checks due to inconsistent parameter handling in checkUserAccessToObject(), allowing horizontal privilege escalation and disclosure of sensitive business data. |
|---|
| स्रोत | ⚠️ https://github.com/Dolibarr/dolibarr/issues/37752 |
|---|
| उपयोगकर्ता | Mitch311 (UID 97676) |
|---|
| सबमिशन | 07/05/2026 01:36 PM (28 दिन पहले) |
|---|
| संयम | 31/05/2026 09:32 AM (24 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367494 [Dolibarr ERP CRM तक 23.0.1 Leave Request REST API api_holidays.class.php checkUserAccessToObject अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|