Submeter #753969: funadmin v7.1.0-rc4 Insecure Direct Object Referenceinformação

Títulofunadmin v7.1.0-rc4 Insecure Direct Object Reference
DescriçãoIn app/frontend/view/login/forget.html, the application checks for the presence of the forget_uid and forget_code cookies. When present, it calls the getMember method with forget_uid as an argument to retrieve user information. Because forget_uid is entirely controllable by the client and lacks proper authorization checks, an authenticated attacker can manipulate this value to access other users’ information, leading to a horizontal authorization bypass (IDOR).
Fonte⚠️ https://github.com/I4m6da/CVE/issues/1
Utilizador
 I4m6da (UID 95320)
Submissão07/02/2026 12h54 (há 4 meses)
Moderação20/02/2026 19h56 (13 days later)
EstadoAceite
Entrada VulDB347205 [funadmin até 7.1.0-rc4 forget.html getMember Divulgação de Informação]
Pontos20

VoltarVisão GeralPróximo

Want to know what is going to be exploited?

We predict KEV entries!