| Título | Open-Source LitmusChaos 3.19.0 IDOR in Project Access Control |
|---|
| Descrição | Description
A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in the LitmusChaos platform, allowing low-privileged users to access sensitive data from projects they do not own or have permission to view. By manipulating the projectID parameter in the URL, attackers can bypass access controls and retrieve internal data from other users’ projects.
Details
The application uses the projectID parameter within various endpoints to load project-specific data. However, the backend does not verify whether the requesting user is authorized to access the specified project. This leads to unauthorized data exposure by simply altering the projectID value in the request.
For example, a user assigned to projectID=abc123 can replace this ID with another valid project ID such as projectID=xyz789 and receive a successful response containing unauthorized project information. |
|---|
| Fonte | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme03.md |
|---|
| Utilizador | maique (UID 88562) |
|---|
| Submissão | 31/07/2025 02h36 (há 9 meses) |
|---|
| Moderação | 09/08/2025 07h34 (9 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 319321 [LitmusChaos Litmus até 3.19.0 projectID Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|