jsbroks COCO Annotator Broken Function Level Authorization Vulnerability in Delete Category Handler

A broken function level authorization vulnerability has been identified in jsbroks COCO Annotator versions through 0.11.1. The issue resides in the Delete Category Handler, specifically within the /api/undo/ endpoint. The vulnerability allows authenticated users to delete categories created by others without proper authorization checks. This can lead to unauthorized manipulation of resources, causing data integrity issues and potential denial-of-service in multi-tenant environments.

Impact

Exploitation of this vulnerability allows any authenticated user to delete categories created by other users. The application fails to verify if the requester is the original creator or has administrative privileges, leading to data loss and potential disruption of service.

Reproduction

To reproduce this vulnerability, log in as a user and create a category. Then, log in as a different user who does not have permission to delete that category. Send a DELETE request to the /api/undo/ endpoint, including the ID of the category created by the first user. The request will be processed successfully, and the category will be deleted, demonstrating the lack of authorization checks.