IDOR in Users Edit screen in omeka/omeka-s

Valid

Reported on

Aug 5th 2023

Description

By manipulating the User ID in the URL, users with low privilege can view the information of any users

Step 1: Login as user1 with author privilege, see that he can only access the edit screen of himself. Click on edit button.

Step 2: See the userID in the URL, modify it to the userID of Admin

Step 3: Now user1 can view some extra information of admin such as "User Settings", "API Keys"

Users with low privilege can view the extra information of any users

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 4 months ago

We have contacted a member of the omeka/omeka-s team and are waiting to hear back 4 months ago

John Flatness validated this vulnerability 4 months ago

tuannq2299 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

John Flatness marked this as fixed in 4.0.4 with commit b3d887 3 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Aug 28th 2023

John Flatness published this vulnerability 3 months ago

to join this conversation