0
Hello,
Simply by changing the id in the provided link in email, or in the link in "My Payments - -View details" users can access any valid id.
This should be stricly forbidden if the invoice-payment is not linked to the logged in user !
?option=com_invoices&view=payment&id=#
Why is that? Can we do something to this "vulnerability" ?
Simply by changing the id in the provided link in email, or in the link in "My Payments - -View details" users can access any valid id.
This should be stricly forbidden if the invoice-payment is not linked to the logged in user !
?option=com_invoices&view=payment&id=#
Why is that? Can we do something to this "vulnerability" ?
Your Reply
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »