.png)
2 months ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi Everyone, Today, I’m excited to share a vulnerability I discovered in ExamSheet Enterprise. This security flaw allows low-level, unlicensed users to delete forms, despite lacking the necessary permissions and plan. This issue undermines the core principles of access control and earned me a bounty of $500.
Understanding the Target: ExamSheet Enterprise
ExamSheet Enterprise is a powerful platform designed for sheet management and automation. It allows users to create, manage, and share sheets, forms, and workflows across different teams and departments. However, a vulnerability in the access control system allows unlicensed users to delete forms, posing a significant risk to data integrity and security.
The Vulnerability: Unauthorized Form Deletion
In ExamSheet, form deletion is supposed to be restricted to licensed users with specific permissions. However, I found that unlicensed users could bypass these restrictions and delete forms using crafted HTTP requests. This vulnerability highlights a significant gap in the access control mechanism, potentially allowing unauthorized data deletion and compromising the integrity of the platform.
Understanding the Bug Type: Improper Handling of…
Bengali (Bangladesh) · 
English (United States) ·