IDOR - Deleting user group
| State | Resolved December 4, 2020 |
| Issue ID | 0bhho094R |
| Asset | Web application |
| Bounty | $1,000 |
| Reported at | December 3, 2020 |
| Reporter | Lawrence Mburu |
| Severity | High |
| Visibility | Limited |
| Weakness | CWE 1220 - Insufficient Granularity of Access Control |
Description
The insufficient access control on the endpoint could potentially be used by a malicious attacker to delete any user group. The attacker must know the group ID for this action.
Impact - This vulnerability might cause a service interruption for users within a deleted group by an attacker.
The rest of the report is undisclosed.