Improper Access Control (IDOR) in neorazorx/facturascripts


Reported on

Apr 28th 2022


Improper Access Control (IDOR) could leak admin information.

Proof of Concept

1.Login as admin, edit a role to give permission show a user information -> save 1

2.Login as an user with that role -> go to url -> Can see all the information of admin (and other users) included email and IP address 2


-First, Admin's information can not be seen by any other user, it can lead to dangerous action by attackers.

-Second, impact of the leak of IP addresses (of admin or any other user) is very serious, attackers can use it to seize very valuable information, including your location and online identity. Using this information as a starting point, they could potentially hack your device, steal your identity, and more

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. 2 years ago
dungtuanha modified the report
2 years ago
dungtuanha modified the report
2 years ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back 2 years ago
Carlos Garcia validated this vulnerability 2 years ago

This problem has been fixed in two commits

dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia marked this as fixed in 2022.06 with commit 92afdf 2 years ago
Carlos Garcia has been awarded the fix bounty
to join this conversation