IDOR - Deleting user group

State Resolved
December 4, 2020
Issue ID 0bhho094R
Asset Web application
Bounty $1,000
Reported at December 3, 2020
Reporter Lawrence Mburu
Severity High
Visibility Limited
Weakness CWE 1220 - Insufficient Granularity of Access Control

Description

The insufficient access control on the endpoint could potentially be used by a malicious attacker to delete any user group. The attacker must know the group ID for this action.
Impact - This vulnerability might cause a service interruption for users within a deleted group by an attacker.


The rest of the report is undisclosed.