IDOR Vulnerability Allow the owner of one Organization can disable users that belong to other oggainzation in alfio-event/alf.io

Valid

Reported on

Mar 22nd 2023


1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.

2 we login as user1 and click disable , then we use burpsuit to get the post.

3 The post can be like : POST /admin/api/users/2/enable/false HTTP/1.1

5 we replace user id 2 to 3.

6 check the status of user2 and we can find that it was disabled.

Impact

The user can disable any users

Occurrences

We do not check whether the current user and userid belong to same Organization

We are processing your report and will contact the alfio-event/alf.io team within 24 hours. 8 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 8 months ago
We have contacted a member of the alfio-event/alf.io team and are waiting to hear back 8 months ago
alfio-event/alf.io maintainer has acknowledged this report 8 months ago
Sylvain Jermini validated this vulnerability 8 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sylvain Jermini marked this as fixed in 2.0-M4-2304 with commit c9a16a 7 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Sylvain Jermini published this vulnerability 7 months ago
UserManager.java#L326 has been validated
to join this conversation