Insecure Direct Object Reference (IDOR) is a particular case of the Broken Access Control (BAC) vulnerability
that usually allows users access to restricted functionality or resources. This might happen when there are
insufficiently implemented access controls, such as failing to authorize users, or when access controls might
be bypassed through flaws in the application’s design or configuration.
During the security assessment, we identified that the application was vulnerable to IDOR, which allowed a
user to perform specific actions on behalf of another one. The affected endpoints and corresponding
parameters are described below.

1. A malicious actor could manipulate any user’s profile picture by modifying the “userId” POST parameter
in requests to the following endpoints:
• https://XXX.com/WebUI/Models/CME/Services/UserAvatar.svc/Save
• https://XXX.com/WebUI/Models/CME/Services/UserAvatar.svc/Reset

2. A malicious actor could start and finish activities that are not assigned to them by modifying the “id”
POST parameter in requests to the following endpoints:
• https://XXX.com/WebUI/Models/tcm54/Services/Workflow.svc/StartActivity
• https://XXX.com/WebUI/Models/tcm54/Services/Workflow.svc/FinishActivity
As a proof-of-concept, we changed the profile picture of another user exploiting the IDOR issue.

Implication and Impact

A malicious actor could utilize the issue and affect the application’s integrity and confidentiality. Improper
authorization checks allow an attacker to reset, change a profile image of any user, and start and finish
activities on their behalf.

Affected resources

• https://XXX.com

Recommendations

Implement a strict client verification mechanism to ensure that clients have privileges to access specific data
and functions. The application should check what user the token is associated with and what commands,
actions, or requests they can submit.