| Название | coco-annotator v0.11.1 Broken Function Level Authorization |
|---|
| Описание | An attacker can delete categories created by other users via a DELETE request to the /api/undo/ endpoint without any ownership or permission checks. This constitutes a Broken Function Level Authorization (BFLA) vulnerability, allowing unauthorized manipulation of protected resources.
Vulnerable Endpoint
DELETE /api/undo/?id=198&instance=category HTTP/1.1
Host: localhost:5001
Cookie: session=<valid session cookie of low-privilege user>
• id: The category ID created by another user (e.g., “natan”)
• instance: The type of object to delete (e.g., “category”)
Impact
• Any authenticated user can delete categories created by other users.
• No verification is done to ensure that the requester is the original creator or has elevated permissions (e.g., admin).
• Leads to data integrity issues, potential denial of service, or abuse in multi-tenant environments.
Steps to Reproduce
1. Log in as User A and create a category.
2. Log in as User B (a separate, normal user).
3. Send the following request as User B:
DELETE /api/undo/?id=<category_id_from_UserA>&instance=category HTTP/1.1
Host: localhost:5001
Cookie: session=<UserB's valid session>
4. ✅ The category created by User A is deleted by User B. |
|---|
| Источник | ⚠️ https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md |
|---|
| Пользователь | nmmorette (UID 87361) |
|---|
| Представление | 23.01.2026 15:53 (5 месяцы назад) |
|---|
| Модерация | 06.02.2026 15:23 (14 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 344685 [jsbroks COCO Annotator до 0.11.1 Delete Category /api/undo/ ИД эскалация привилегий] |
|---|
| Баллы | 20 |
|---|