Incorrect Access Control #51
Comments
aashiqahamedn
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
aashiqahamedn
changed the title
Name of the Affected Product:
Reportico
Affected Version:
Till 8.1.0
Description:
This vulnerability occurs when a low privilege user is able to access and view configuration details that are intended to be restricted to admin users. These configuration details may include sensitive information related to SQL queries and other critical system settings. This unauthorized access allows the low privilege user to gain insights into the inner workings of the application or system, potentially leading to unintended exposure of sensitive data or exploitation of system weaknesses.
Impact:
This vulnerability poses serious risks to the security and integrity of the application and its underlying systems. By gaining access to sensitive configuration details, low-privileged users can exploit system weaknesses, potentially leading to data breaches, unauthorized data manipulation, or even system compromise.
URL:
http://localhost/reportico-8.1.0/run.php?execute_mode=PREPARE&xmlin=qqqq.xml&reportico_session_name=b137719u9cqjt0sqog9aorvcks_reportico
http://localhost/reportico-8.1.0/run.php?execute_mode=MAINTAIN&xmlin=qqqq.xml&reportico_session_name=b137719u9cqjt0sqog9aorvcks_reportico
Steps:
By changing the execute_mode parameter in URL from PREPARE TO MAINTAIN the low privilege user can view the config page which is restricted to the low privilege user.
The text was updated successfully, but these errors were encountered: