Ideagen Q-Pulse Insecure Direct Object Reference Vulnerability in User Profile Functionality

A vulnerability allowing unauthorized access to user profile information exists in Ideagen Q-Pulse version 7.1.0.32. This Insecure Direct Object Reference (IDOR) issue arises because the application fails to validate user permissions for the 'objectKey' parameter in the URL of the 'My Details' page. As a result, an authenticated user can manipulate this parameter to access the profiles of other users, retrieving sensitive information such as full names, email addresses, job titles, and department details.

Impact

Exploitation of this vulnerability allows an authenticated user to access and enumerate the profile information of all users within the Q-Pulse instance. This includes sensitive data that could be leveraged for targeted phishing attacks, social engineering, or further exploitation within the organization.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and navigate to the 'My Details' page. Note the 'objectKey' parameter in the URL, which corresponds to the user's internal identifier. Modify this parameter to reference a different valid user identifier and submit the request. The application will respond with the profile details of the user associated with the new 'objectKey', including their full name, work email, job title, and department. This process can be repeated to access the profiles of all users in the system.

Remediation

It is recommended to implement server-side authorization checks to ensure users can only access their own profile information. Additionally, replace sequential user identifiers with non-guessable values to prevent enumeration. Organizations should also review their access control models to limit profile data access to the profile owner and authorized roles, such as administrators.