| Название | Open-Source LitmusChaos 3.19.0 IDOR in Project Access Control |
|---|
| Описание | Description
A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in the LitmusChaos platform, allowing low-privileged users to access sensitive data from projects they do not own or have permission to view. By manipulating the projectID parameter in the URL, attackers can bypass access controls and retrieve internal data from other users’ projects.
Details
The application uses the projectID parameter within various endpoints to load project-specific data. However, the backend does not verify whether the requesting user is authorized to access the specified project. This leads to unauthorized data exposure by simply altering the projectID value in the request.
For example, a user assigned to projectID=abc123 can replace this ID with another valid project ID such as projectID=xyz789 and receive a successful response containing unauthorized project information. |
|---|
| Источник | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme03.md |
|---|
| Пользователь | maique (UID 88562) |
|---|
| Представление | 31.07.2025 02:36 (9 месяцы назад) |
|---|
| Модерация | 09.08.2025 07:34 (9 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 319321 [LitmusChaos Litmus до 3.19.0 projectID эскалация привилегий] |
|---|
| Баллы | 20 |
|---|