Mk-Auth Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Support Calls

An insecure direct object reference vulnerability has been identified in Mk-Auth version 23.01K4.9, a management system for Internet Service Providers in Brazil. This vulnerability allows authenticated users to access and manipulate support calls of other users by altering the 'chamado' parameter in a crafted GET request. The issue arises in the 'Central/Suporte/ChamadosTécnicos' component, where users can inadvertently bypass authorization and gain control over another user's support page.

Impact

Exploitation of this vulnerability allows for unauthorized access to and manipulation of support calls belonging to other users.

Reproduction

To reproduce this vulnerability, an authenticated user must navigate to the 'Central/Suporte' section and access the 'Chamados Técnicos' page. Once there, the user can change the 'chamado' parameter in the URL to reference another user's support call, thereby gaining access to and control over that call.