| タイトル | manjurulhoque/django-job-portal dfa352f305bba44445ac5dc12e9b2a98c9dcd71f Improper Access Controls |
|---|
| 説明 | An authenticated user with the low-privilege employee role can escalate themselves to the privileged employer role by sending the role field in a request to their own profile-update endpoint. The endpoint is correctly authenticated and correctly scoped to the caller's own record — but the serializer it uses leaves role request-writable, and role is exactly the field the application's own authorization classes (IsEmployer / IsEmployee) read to make access decisions.
A self-registered job seeker becomes an "employer" and gains employer-only capabilities: /api/employer/dashboard/, job creation (/api/employer/jobs/create/), and viewing/altering applicant data (/api/employer/applicants/..., UpdateApplicantStatusAPIView) — i.e. read access to other users' application data and write access to hiring state. |
|---|
| ソース | ⚠️ https://github.com/manjurulhoque/django-job-portal/issues/91 |
|---|
| ユーザー | AliceS614 (UID 94277) |
|---|
| 送信 | 2026年06月08日 11:27 (1 月 ago) |
|---|
| モデレーション | 2026年07月09日 07:18 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 377114 [manjurulhoque django-job-portal 迄 dfa352f305bba44445ac5dc12e9b2a98c9dcd71f Employee Dashboard Endpoint accounts/api/views.py EditEmployeeProfileAPIView role 特権昇格] |
|---|
| ポイント | 20 |
|---|