Canlineapp Online Broken Access Control Vulnerability Allowing Unauthorized Audit Template Creation
Vulnerability
A broken access control vulnerability has been identified in Canlineapp Online version 1.1. This issue allows users with the Auditor role to create audit templates, a function intended for supervisors, due to inadequate authorization checks. Auditors have successfully exploited this flaw to generate templates from their accounts.
Impact
Exploitation of this vulnerability could lead to unauthorized creation of audit templates by users with the Auditor role, bypassing intended access controls.
Reproduction
To reproduce this vulnerability, a user must have an Auditor role in Canlineapp Online version 1.1 or prior. Once logged in, the user can send a POST request to the 'AddEditAuditTemp' API endpoint. The request must include an authorization header and the necessary data for the audit template, such as the template name and description. This can be done using a tool like cURL.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.