| 제목 | Open-Source LitmusChaos 3.19.0 IDOR in Project Access Control |
|---|
| 설명 | Description
A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in the LitmusChaos platform, allowing low-privileged users to access sensitive data from projects they do not own or have permission to view. By manipulating the projectID parameter in the URL, attackers can bypass access controls and retrieve internal data from other users’ projects.
Details
The application uses the projectID parameter within various endpoints to load project-specific data. However, the backend does not verify whether the requesting user is authorized to access the specified project. This leads to unauthorized data exposure by simply altering the projectID value in the request.
For example, a user assigned to projectID=abc123 can replace this ID with another valid project ID such as projectID=xyz789 and receive a successful response containing unauthorized project information. |
|---|
| 원천 | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme03.md |
|---|
| 사용자 | maique (UID 88562) |
|---|
| 제출 | 2025. 07. 31. AM 02:36 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 09. AM 07:34 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319321 [LitmusChaos Litmus 까지 3.19.0 projectID 권한 상승] |
|---|
| 포인트들 | 20 |
|---|