Additionally, the system also had configuration issues that allowed users to bypass authentication. The system did not have a valid CSRF protection mechanism, either. If a user had “admin” permissions, they could delete any user at any time. An attacker could exploit these issues to steal user information or conduct denial of service attacks against the system. Finally, the source code of the application was not publicly available, which made it difficult to audit and maintain.

Timeline

Published on: 10/12/2022 00:15:00 UTC
Last modified on: 10/13/2022 13:58:00 UTC

References