Project

General

Profile

Actions
Copy link

BUG #4386

open

[SQA] IDOR in User Management API – Unauthorized Data Access

Added by Tasfia Zaima 1 day ago.

Status:
Pending
Priority:
High
Assignee:
Al Arafat Siddique
Target version:
UAT
Start date:
04/08/2026
Due date:
% Done:

0%

Estimated time:

Description

Description:
The endpoint /api/user-management/users/?id=<userId> fails to enforce proper authorization. Authenticated users can manipulate the id parameter to access other users’ data without permission, exposing email, profile info, and account metadata.

Steps to Reproduce (tested using Burp Suite):

  1. Log in as a normal user (userId=654).
  2. Open Burp Suite and intercept the request: GET /api/user-management/users/?id=654
  3. Modify the id parameter to another user, e.g., id=655.
  4. Forward the request through Burp Suite.
  5. Observe that the response returns data of user 655.

Actual Result:
Returns sensitive data of user 655.

Expected Result:
Only the requesting user’s data should be returned. Unauthorized requests should return 403 Forbidden or 401 Unauthorized.

Impact:

  • Unauthorized access to user data
  • Privacy violations
  • User enumeration
  • Potential escalation if chained with other vulnerabilities

Proof of Concept:
Captured request/response using Burp Suite demonstrating access to another user’s data:
PoC

No data to display

Actions
Copy link

Also available in: Atom PDF