| Título | coco-annotator v0.11.1 Broken Function Level Authorization |
|---|
| Descrição | An attacker can delete categories created by other users via a DELETE request to the /api/undo/ endpoint without any ownership or permission checks. This constitutes a Broken Function Level Authorization (BFLA) vulnerability, allowing unauthorized manipulation of protected resources.
Vulnerable Endpoint
DELETE /api/undo/?id=198&instance=category HTTP/1.1
Host: localhost:5001
Cookie: session=<valid session cookie of low-privilege user>
• id: The category ID created by another user (e.g., “natan”)
• instance: The type of object to delete (e.g., “category”)
Impact
• Any authenticated user can delete categories created by other users.
• No verification is done to ensure that the requester is the original creator or has elevated permissions (e.g., admin).
• Leads to data integrity issues, potential denial of service, or abuse in multi-tenant environments.
Steps to Reproduce
1. Log in as User A and create a category.
2. Log in as User B (a separate, normal user).
3. Send the following request as User B:
DELETE /api/undo/?id=<category_id_from_UserA>&instance=category HTTP/1.1
Host: localhost:5001
Cookie: session=<UserB's valid session>
4. ✅ The category created by User A is deleted by User B. |
|---|
| Fonte | ⚠️ https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md |
|---|
| Utilizador | nmmorette (UID 87361) |
|---|
| Submissão | 23/01/2026 15h53 (há 5 meses) |
|---|
| Moderação | 06/02/2026 15h23 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 344685 [jsbroks COCO Annotator até 0.11.1 Delete Category /api/undo/ ID Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|