Bug #93: Privilege Escalation via Unauthorized Status Update (Mass Assignment Vulnerability) (Web-API) - akinder volunteer testing - Redmine

Actions

Copy link

Bug #93

open

Privilege Escalation via Unauthorized Status Update (Mass Assignment Vulnerability) (Web-API)

Added by Vivek Kumar about 2 hours ago.

Status:

New

Priority:

Normal

Assignee:

Start date:

04/21/2026

Due date:

% Done:

Estimated time:

Spent time:

1:00 h

Description

The /api/agency/update endpoint allows an authenticated user to modify restricted fields such as status. This enables a user to self-verify or change their account status without admin approval, leading to privilege escalation.

Endpoint:
POST https://devapi.akindervolunteer.com/api/agency/update

Steps to Reproduce:

Authenticate as a normal agency user.
Send the following request:

POST /api/agency/update
Authorization: Bearer <user_token>
Content-Type: application/json

{
  "status": "Available"
}

Observe that the user's status is updated successfully.

Expected Behavior:
Only administrators should be able to update sensitive fields like status.

Actual Behavior:
Any authenticated user can update their own status.

Spent time

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

akinder volunteer testing

Custom queries

Bug #93

Privilege Escalation via Unauthorized Status Update (Mass Assignment Vulnerability) (Web-API)