Submeter #758664: Psi Probe <=5.3.0 Broken Access Controlinformação

TítuloPsi Probe <=5.3.0 Broken Access Control
DescriçãoPsi Probe versions up to and including 5.3.0 allow any authenticated user with the "probeuser" role to remove arbitrary session attributes from any other user's session through the /app/rmsattr.htm endpoint. The application fails to validate session ownership before processing attribute removal requests, enabling low-privileged attackers to delete security-critical session attributes (such as authorization flags, MFA completion status, or role identifiers) from other users' sessions, potentially bypassing authorization controls and escalating privileges.
Fonte⚠️ https://github.com/AnalogyC0de/public_exp/issues/14
Utilizador
 Ana10gy (UID 93358)
Submissão15/02/2026 04h37 (há 2 meses)
Moderação26/02/2026 16h13 (11 days later)
EstadoAceite
Entrada VulDB347992 [psi-probe PSI Probe até 5.3.0 Session Attribute RemoveSessAttributeController.java Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!