IDOR in Users Edit screen in omeka/omeka-s


Reported on

Aug 5th 2023


By manipulating the User ID in the URL, users with low privilege can view the information of any users

Proof of Concept

Step 1: Login as user1 with author privilege, see that he can only access the edit screen of himself. Click on edit button.

Step 2: See the userID in the URL, modify it to the userID of Admin

Step 3: Now user1 can view some extra information of admin such as "User Settings", "API Keys"


Users with low privilege can view the extra information of any users

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 4 months ago
We have contacted a member of the omeka/omeka-s team and are waiting to hear back 4 months ago
John Flatness validated this vulnerability 4 months ago
tuannq2299 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
John Flatness marked this as fixed in 4.0.4 with commit b3d887 3 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 28th 2023
John Flatness published this vulnerability 3 months ago
to join this conversation