IDOR in Users Edit screen in omeka/omeka-s
Aug 5th 2023
By manipulating the User ID in the URL, users with low privilege can view the information of any users
Proof of Concept
Step 1: Login as
author privilege, see that he can only access the edit screen of himself. Click on edit button.
Step 2: See the userID in the URL, modify it to the userID of
Step 3: Now
user1 can view some extra information of
admin such as "User Settings", "API Keys"
Users with low privilege can view the extra information of any users