Horilla HRMS Broken Access Control Vulnerability in Helpdesk Attachment Viewer

A broken access control vulnerability has been identified in Horilla HRMS version 1.5.0. The issue allows any authenticated user to access attachments from other tickets by simply changing the attachment ID. This vulnerability could lead to the unauthorized exposure of sensitive support files and internal documents across different users or teams.

Impact

Exploitation of this vulnerability allows for unauthorized access to helpdesk ticket attachments, potentially leading to the exposure of internal files, screenshots, logs, exported data, or sensitive customer/support material. In shared installations, this could result in cross-tenant or cross-department data leakage.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and navigate to the helpdesk attachment viewer. Intercept the request for an attachment using a tool like Burp Suite. Note the attachment ID and then log out and log back in as a different user. Change the attachment ID in the intercepted request to one from the first user's ticket and replay the request. The response will include the attachment from the first user, demonstrating the broken access control.