prompts.chat Authorization Bypass Vulnerability Allowing Unauthorized Access to Private Data
Vulnerability
A vulnerability exists in prompts.chat prior to commit 7b81836, where multiple authorization bypass issues allow unauthorized users to access sensitive information linked to private prompts. This flaw arises from the absence of proper privacy checks in various API endpoints and page metadata generation. Exploitation of this vulnerability enables access to private prompt version histories, change requests, examples, current content, and metadata such as titles and descriptions available through HTML meta tags.
Impact
Exploitation of this vulnerability could lead to unauthorized access to private prompt data, including version histories, change requests, examples, current content, and associated metadata.
Reproduction
To reproduce this vulnerability, access the API endpoints or pages that generate metadata for prompts. Since the isPrivate checks are missing, private prompts can be accessed without authorization, allowing retrieval of sensitive data such as prompt history and metadata.
Remediation
Users are advised to update to the latest version of prompts.chat, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.