| Title | Open-Source LitmusChaos 3.19.0 IDOR in Project Access Control |
|---|
| Description | Description
A critical Insecure Direct Object Reference (IDOR) vulnerability was discovered in the LitmusChaos platform, allowing low-privileged users to access sensitive data from projects they do not own or have permission to view. By manipulating the projectID parameter in the URL, attackers can bypass access controls and retrieve internal data from other users’ projects.
Details
The application uses the projectID parameter within various endpoints to load project-specific data. However, the backend does not verify whether the requesting user is authorized to access the specified project. This leads to unauthorized data exposure by simply altering the projectID value in the request.
For example, a user assigned to projectID=abc123 can replace this ID with another valid project ID such as projectID=xyz789 and receive a successful response containing unauthorized project information. |
|---|
| Source | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme03.md |
|---|
| User | maique (UID 88562) |
|---|
| Submission | 07/31/2025 02:36 (9 months ago) |
|---|
| Moderation | 08/09/2025 07:34 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319321 [LitmusChaos Litmus up to 3.19.0 projectID resource injection] |
|---|
| Points | 20 |
|---|