| tiêu đề | Open-Source LitmusChaos 3.19.0 Authorization Bypass via LocalStorage |
|---|
| Mô tả | An authorization bypass vulnerability was identified in the LitmusChaos platform, where an authenticated user can escalate their privileges and gain owner-level access to a project by manipulating the projectID value stored in the browser's LocalStorage. This occurs due to the absence of proper backend validation for project ownership and user authorization.
The LitmusChaos platform stores the projectID in the browser’s LocalStorage, which can be freely modified by the client. Upon modifying this value to reference a different project, the application fails to verify whether the user is authorized to access or control the new project. As a result, the attacker is able to perform privileged operations—such as editing configurations, deleting resources, or inviting users—on a project they do not own.
This design flaw shifts critical access control logic to the client side, violating standard security practices and enabling unauthorized privilege escalation. |
|---|
| Nguồn | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/readme04.md |
|---|
| Người dùng | maique (UID 88562) |
|---|
| Đệ trình | 31/07/2025 04:11 (cách đây 9 các tháng) |
|---|
| Kiểm duyệt | 09/08/2025 07:34 (9 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 319322 [LitmusChaos Litmus đến 3.19.0 LocalStorage projectID nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|