Primary

Context

One Incorrect Access Control Vulnerability in User Management API

Vulnerability

A vulnerability allowing incorrect access control has been identified in One version 1.0. This issue enables attackers to access sensitive information through the user management API, bypassing authentication requirements. The vulnerability arises from inadequate access controls that fail to properly restrict access to authenticated users.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive information via the user management API.

Reproduction

To reproduce this vulnerability, send a request to the '/api/user/manager' endpoint without authentication. This request will be denied. However, by sending a request to '/static;/../api/user/manager', it is possible to bypass authentication and gain access to the sensitive information.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

One Incorrect Access Control Vulnerability in User Management API

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating