PlaciPy Missing Object-Level Authorization Vulnerability in Student Submission API
Vulnerability
A critical vulnerability exists in PlaciPy version 1.0.0, where the backend student submission routes authenticate users but neglect to perform object-level authorization checks. This oversight allows authenticated users to access, modify, or delete resources belonging to others, leading to unauthorized data access and potential privacy violations.
Impact
Exploitation of this vulnerability allows for Insecure Direct Object Reference (IDOR) issues, enabling unauthorized access to data, horizontal privilege escalation, privacy violations, and unauthorized manipulation or deletion of resources.
Remediation
To address this vulnerability, implement ownership validation for all object references in the affected routes. Centralize authorization logic to ensure consistent enforcement of ownership checks, rejecting access when the authenticated user's ID does not match the resource owner's ID. Adopt a deny-by-default approach to authorization.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.