IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter

Disclosed: 2020-05-12 14:42:17 By meryem0x To lab45

Medium

Vulnerability Details

Hi :) On https://apps.topcoder.com/wiki/users/viewmydrafts.action, you can see your drafts, edit or delete them. Users can delete their own drafts on `https://apps.topcoder.com/wiki/users/viewmydrafts.action?discardDraftId=<DRAFT_ID>`. But there is no check and an attacker can change `discardDraftId` and delete all drafts. ## Impact An attacker can delete other user's drafts.

Actions

View on HackerOne

Report Stats

Report ID: 868590
State: Closed
Substate: resolved
Upvotes: 28

IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter

Vulnerability Details

Actions

Report Stats

Share this report