wasResumeUsed ███ on /api-internal/api.htm endpoint leaking other user's resume usage status

**Summary:** When a user tries to delete his/her resume, api call to *████████* is made which checks if that resume was/is being used for previous user job applications. The endpoint takes a parameter **resumeMetadataId** which corresponds to the metadata id of the resume user is trying to delete. The response contains **wasResumeUsed** field which gives that resume's status. However the metadata id is not crosschecked with **███**, which causes it to check status of the resumes which do not belong to that user. Affected URL or select Asset from In-Scope: ███ Affected Parameter: *resumeMetadataId* ## Steps To Reproduce: assuming there are two accounts created A and B, B has resume *B.txt* with resumeMetadataId *x* 1. from A's account make request to █████?█████=wasResumeUsed by pressing on *Delete* on resume 2. intercept the request and modify resumeMetadataId in the request to x 3. check wasResumeUsed in the response to be false (assuming that B.txt was never used for a job application) 4. from B's account make a dummy application to a job using B.txt 5. again repeat step 2 and verify that wasResumeUsed has changed to true ## Supporting Material/References (screenshots, logs, videos): * █████████ * █████████ ## Impact * This can be enumerated over all possible resumeMetadataId's which do not necessarily belong to the user leaking their usage status.