| Название | Open-Source LitmusChaos 3.19.0 Authorization Bypass via LocalStorage |
|---|
| Описание | An authorization bypass vulnerability was identified in the LitmusChaos platform, where an authenticated user can escalate their privileges and gain owner-level access to a project by manipulating the projectID value stored in the browser's LocalStorage. This occurs due to the absence of proper backend validation for project ownership and user authorization.
The LitmusChaos platform stores the projectID in the browser’s LocalStorage, which can be freely modified by the client. Upon modifying this value to reference a different project, the application fails to verify whether the user is authorized to access or control the new project. As a result, the attacker is able to perform privileged operations—such as editing configurations, deleting resources, or inviting users—on a project they do not own.
This design flaw shifts critical access control logic to the client side, violating standard security practices and enabling unauthorized privilege escalation. |
|---|
| Источник | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme04.md |
|---|
| Пользователь | maique (UID 88562) |
|---|
| Представление | 31.07.2025 04:11 (9 месяцы назад) |
|---|
| Модерация | 09.08.2025 07:34 (9 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 319322 [LitmusChaos Litmus до 3.19.0 LocalStorage projectID эскалация привилегий] |
|---|
| Баллы | 20 |
|---|