| タイトル | coco-annotator v0.11.1 Broken Function Level Authorization |
|---|
| 説明 | An attacker can delete categories created by other users via a DELETE request to the /api/undo/ endpoint without any ownership or permission checks. This constitutes a Broken Function Level Authorization (BFLA) vulnerability, allowing unauthorized manipulation of protected resources.
Vulnerable Endpoint
DELETE /api/undo/?id=198&instance=category HTTP/1.1
Host: localhost:5001
Cookie: session=<valid session cookie of low-privilege user>
• id: The category ID created by another user (e.g., “natan”)
• instance: The type of object to delete (e.g., “category”)
Impact
• Any authenticated user can delete categories created by other users.
• No verification is done to ensure that the requester is the original creator or has elevated permissions (e.g., admin).
• Leads to data integrity issues, potential denial of service, or abuse in multi-tenant environments.
Steps to Reproduce
1. Log in as User A and create a category.
2. Log in as User B (a separate, normal user).
3. Send the following request as User B:
DELETE /api/undo/?id=<category_id_from_UserA>&instance=category HTTP/1.1
Host: localhost:5001
Cookie: session=<UserB's valid session>
4. ✅ The category created by User A is deleted by User B. |
|---|
| ソース | ⚠️ https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md |
|---|
| ユーザー | nmmorette (UID 87361) |
|---|
| 送信 | 2026年01月23日 15:53 (5 月 ago) |
|---|
| モデレーション | 2026年02月06日 15:23 (14 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 344685 [jsbroks COCO Annotator 迄 0.11.1 Delete Category /api/undo/ 識別子 特権昇格] |
|---|
| ポイント | 20 |
|---|