IDOR Vulnerability Allow the owner of one Organization can disable users that belong to other oggainzation in alfio-event/alf.io
Mar 22nd 2023
1 first, we create two organizations: org1 and org2. The owner of them is user1 and user2 corresponding.
2 we login as user1 and click disable , then we use burpsuit to get the post.
3 The post can be like : POST /admin/api/users/2/enable/false HTTP/1.1
5 we replace user id 2 to 3.
6 check the status of user2 and we can find that it was disabled.
The user can disable any users