LitmusChaos Insecure Direct Object Reference Vulnerability in Project Access Control

A critical Insecure Direct Object Reference (IDOR) vulnerability exists in LitmusChaos versions through 3.19.0. This vulnerability allows low-privileged users to access sensitive information from projects belonging to other users by manipulating the projectID parameter in the URL. The application fails to properly validate user permissions before granting access to project data, leading to unauthorized disclosure of internal project information.

Impact

Exploitation of this vulnerability allows authenticated users to access confidential project metadata of other users, resulting in unauthorized data exposure, enumeration of internal user roles, emails, or team structures, and potential reconnaissance for further privilege escalation or social engineering attacks.

Reproduction

To reproduce this vulnerability, log in as a user with access to a project. While navigating the platform, observe the projectID in the URL. Replace this ID with the projectID of another user’s project and refresh the page. The sensitive information from the other user’s project will be displayed, confirming the access control flaw.