BOLD Workplanner Insecure Direct Object Reference Vulnerability

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in BOLD Workplanner, specifically in versions prior to 2.5.25. This vulnerability arises from insufficient validation of user input, enabling an authenticated user to access planning counter details using unauthorized internal identifiers. The exposed information includes employee numbers, names, national identity numbers, clock-in records, holiday requests, and absence records, all corresponding to any employee within the company.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive employee planning counter details, potentially leading to misuse of personal information and management records.

Remediation

Users can upgrade to BOLD Workplanner version 2.5.25 or later to address this vulnerability.