| Título | CodeGenieApp @codegenie/serverless-express <=4.17.1 Broken Object Level Authorization |
|---|
| Descrição | The TodoList management system contains a critical Broken Object Level Authorization (BOLA) vulnerability (also known as IDOR) due to a missing ownership model in the database schema. The TodoList DynamoDB table lacks a userId field, preventing any ownership association between lists and their creators. Consequently, if an attacker obtains a valid listId (e.g., via leaked URLs, Referer headers, or chained with the previously reported Property Injection vulnerability), they can use their own authenticated session to view, modify, or permanently delete any other user's todo lists, resulting in a complete compromise of data confidentiality, integrity, and availability. |
|---|
| Fonte | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/20 |
|---|
| Utilizador | Ana10gy (UID 93358) |
|---|
| Submissão | 02/03/2026 04h00 (há 2 meses) |
|---|
| Moderação | 14/03/2026 13h57 (12 days later) |
|---|
| Estado | Duplicado |
|---|
| Entrada VulDB | 351078 [CodeGenieApp serverless-express até 4.17.1 API Endpoint TodoList.ts userId Elevação de Privilégios] |
|---|
| Pontos | 0 |
|---|