+ "details": "## **Summary**\n\nAn **IDOR (Insecure Direct Object Reference)** vulnerability in the Grav CMS Admin Panel allows **low-privilege users to access sensitive information** from other accounts.\nAlthough direct account takeover is not possible, **admin email addresses and other metadata can be exposed**, increasing the risk of phishing, credential stuffing, and social engineering.\n\n---\n\n## **Details**\n\n* **Endpoint:** `/admin/accounts/users/{username}`\n* **Tested Version:** Grav Admin 1.7.48\n* **Affected Accounts:** Authenticated users with **0 privileges** (non-privileged accounts)\n\n**Description:**\nRequesting another user’s account details (e.g., `/admin/accounts/users/admin`) as a low-privilege user returns an HTTP **403 Forbidden** response.\nHowever, sensitive information such as the **admin’s email address** is still present in the **response source**, specifically in the `<title>` tag.\n\n**system/src/Grav/Common/Flex/Types/Users/UserCollection.php**\n<img width=\"700\" height=\"327\" alt=\"Screenshot 2025-08-24 021027\" src=\"https://github.com/user-attachments/assets/7e69ae49-d8fc-442f-b00c-9efaec706b2e\" />\n\n**system/blueprints/flex/user-accounts.yaml**\n<img width=\"700\" height=\"300\" alt=\"Screenshot 2025-08-24 020521\" src=\"https://github.com/user-attachments/assets/756631c8-d60b-4b84-a08a-2a9c2f81b41f\" />\n\n\nThis is a classic **IDOR vulnerability**, where object references (usernames) are not properly protected from unauthorized enumeration.\n\n---\n\n## **PoC**\n\n1. Log in as a **non-privileged user** (0-privilege account).\n2. Access another user’s endpoint, for example:\n\n ```\n GET /admin/accounts/users/admin\n ```\n3. Observe the HTTP **403 Forbidden** response.\n4. Inspect the **page source**; sensitive data such as the **admin email** can be seen in the `<title>` tag.\n\n**PoC Video:** \n\n[https://drive.google.com/file/d/1lY_qwqSkN5sPNmHvXGOk6R1mdIgVt71H/view](https://drive.google.com/file/d/1lY_qwqSkN5sPNmHvXGOk6R1mdIgVt71H/view)\n\n---\n\n## **Impact**\n\n* **Type:** Information Disclosure via IDOR\n* **Who is impacted:** Low-privilege authenticated users can enumerate other accounts and extract sensitive metadata (admin emails).\n* **Risk:** Exposed information can be used for targeted phishing, credential stuffing, brute-force attacks, or social engineering campaigns.\n* **Severity Justification:** Only a low-privilege account is required, and sensitive metadata is leaked. Arbitrary code execution is not possible, but the information exposure is **moderate risk**.\n\n---\n\n## **Disclosure & CVE Request**\n\n* We request a **CVE ID** for this vulnerability once validated.\n* Please credit the discovery to:\n\n * **Elvin Nuruyev**\n * **Kanan Farzalili**",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments