Teklifolustur App Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Offers
Vulnerability
An Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Teklifolustur App, a web-based PHP application for managing client quotes. This vulnerability affects all versions prior to the patch in commit dd082a134a225b8dcd401b6224eead4fb183ea1c. The issue allows authenticated users to manipulate the offer_id parameter and access offers belonging to other users, due to a lack of proper authorization checks. The vulnerability arises in the offer view functionality, where missing safeguards enable users to view offers that do not belong to them.
Impact
Exploitation of this vulnerability allows for unauthorized access to other users' offers, potentially leading to privacy violations or misuse of sensitive information.
Reproduction
To reproduce this vulnerability, an authenticated user can manipulate the offer_id parameter in the request to access offers belonging to other users. This can be done by sending a request with a modified offer_id that corresponds to an offer owned by a different user.
Remediation
Users can update to version 7bc1fb0 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.