Chyrp Lite IDOR Vulnerability in Post Model Allowing Unauthorized Post Modification

A vulnerability allowing Insecure Direct Object Reference (IDOR) and Mass Assignment has been identified in Chyrp Lite versions prior to 2026.01. This issue allows authenticated users with post editing permissions to modify posts they do not own and are not authorized to edit. The vulnerability arises in the Post model, where internal class properties can be injected into the post_attributes payload. This manipulation enables an attacker to alter the object being instantiated, leading to unauthorized modifications on another user's post, effectively allowing post takeover.

Impact

Exploitation of this vulnerability allows for unauthorized modification of posts, with the potential for privilege escalation by hijacking posts from other users.

Reproduction

To reproduce this vulnerability, an authenticated user with post editing permissions can intercept a request to edit a post they own. By adding a parameter to the request that includes the ID of a post belonging to another user, the attacker can overwrite the post ID being edited. When the request is sent, the application mistakenly applies the changes to the victim's post instead of the attacker's own, due to the injected ID being processed as a legitimate attribute.

Remediation

Users can update to Chyrp Lite version 2026.01, which addresses this vulnerability by preventing the overwriting of class properties in the Post model with injected attribute values.