During the test, it was identified that any user could access the activity list of all the application's users by modifying the "ForAllUsers" POST parameter value from "false" to "true", as the following screenshots demonstrate: Image attached.

3.2.2 Implication and Impact

A malicious actor could exploit the issue, get potentially sensitive information, and leverage it to generate more accurate and complex attacks.

3.2.3 Affected resources

• https://xxx.com

3.2.4 Recommendations

Consider reviewing the need for such filtering functionality and the possibility of turning it off. Alternatively,
consider filtering on the server side, relying on the user's session token.