| タイトル | Open-Source LitmusChaos 3.19.0 IDOR in Project Access Control |
|---|
| 説明 | Description
A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in the LitmusChaos platform, allowing low-privileged users to access sensitive data from projects they do not own or have permission to view. By manipulating the projectID parameter in the URL, attackers can bypass access controls and retrieve internal data from other users’ projects.
Details
The application uses the projectID parameter within various endpoints to load project-specific data. However, the backend does not verify whether the requesting user is authorized to access the specified project. This leads to unauthorized data exposure by simply altering the projectID value in the request.
For example, a user assigned to projectID=abc123 can replace this ID with another valid project ID such as projectID=xyz789 and receive a successful response containing unauthorized project information. |
|---|
| ソース | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme03.md |
|---|
| ユーザー | maique (UID 88562) |
|---|
| 送信 | 2025年07月31日 02:36 (9 月 ago) |
|---|
| モデレーション | 2025年08月09日 07:34 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 319321 [LitmusChaos Litmus 迄 3.19.0 projectID 特権昇格] |
|---|
| ポイント | 20 |
|---|