[Precogs Alert] Insecure Direct Object Reference (IDOR) detected (CWE-639, Risk: High) #30
Description
Vulnerability Details
- File Path:
orbit-app/src/pages/profile.jsx - Vulnerability Type: Insecure Direct Object Reference (IDOR)
- Risk Level: High
Explanation:
The function 'deleteUser' takes a 'userId' parameter and directly constructs a DELETE request to the backend endpoint '/delete-user/{userId}'. There is no evidence of any authorization check to ensure that the caller is allowed to delete the specified user. If this function is exposed to untrusted clients (e.g., in a frontend app or API), a malicious user could supply any userId and potentially delete arbitrary users, leading to an Insecure Direct Object Reference (IDOR) vulnerability. The root cause is the lack of server-side authorization enforcement for the delete operation, and the client-side code does not restrict or validate the userId parameter.
attackScenario: An attacker who is authenticated as a low-privilege user (or even unauthenticated, depending on backend config) could call this function with the userId of another user (e.g., an admin or another victim) and trigger deletion of that account, resulting in privilege escalation or denial of service.
potentialImpact: Integrity and availability are severely impacted, as unauthorized deletion of user accounts can occur. Confidentiality may also be affected if deletion triggers data exposure or error messages.
Please investigate and resolve this issue to maintain code security and quality.