Improper Privilege Management in rhizome-conifer/conifer
Dec 23rd 2021
Hi there, I would like to report an improper privilege escalation in conifer. Any user can view all recordings of other users.
Proof of Concept
- Go to https://conifer.rhizome.org/ and register 2 accounts, let's call it user1 and user2
- Use user1 and create a collection, let's name this collection1
- Login as user2 and go to this link
- See that you can view all recordings of user1.
This vulnerability is capable of viewing all users recordings.