| Titolo | manjurulhoque/django-job-portal dfa352f305bba44445ac5dc12e9b2a98c9dcd71f Improper Access Controls |
|---|
| Descrizione | An authenticated user with the low-privilege employee role can escalate themselves to the privileged employer role by sending the role field in a request to their own profile-update endpoint. The endpoint is correctly authenticated and correctly scoped to the caller's own record — but the serializer it uses leaves role request-writable, and role is exactly the field the application's own authorization classes (IsEmployer / IsEmployee) read to make access decisions.
A self-registered job seeker becomes an "employer" and gains employer-only capabilities: /api/employer/dashboard/, job creation (/api/employer/jobs/create/), and viewing/altering applicant data (/api/employer/applicants/..., UpdateApplicantStatusAPIView) — i.e. read access to other users' application data and write access to hiring state. |
|---|
| Fonte | ⚠️ https://github.com/manjurulhoque/django-job-portal/issues/91 |
|---|
| Utente | AliceS614 (UID 94277) |
|---|
| Sottomissione | 08/06/2026 11:27 (1 mese fa) |
|---|
| Moderazione | 09/07/2026 07:18 (1 month later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 377114 [manjurulhoque django-job-portal fino a dfa352f305bba44445ac5dc12e9b2a98c9dcd71f Employee Dashboard Endpoint accounts/api/views.py EditEmployeeProfileAPIView role escalationi di privilegi] |
|---|
| Punti | 20 |
|---|