Skip to content

Instantly share code, notes, and snippets.

Created January 17, 2022 10:44
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?



  • Broken Access Controls in Risk Create Information
  • Affected Product: DeltaRM 1.2
  • Vendor: DeltaRM
  • Severity: High
  • Vulnerability Class: Broken Access Controls
  • Status: Fixed
  • Author(s): Renato Cruz =======================================================================


An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.

Reproduction Steps

As an authenticated user, send the following request

GET /risque/administration/referentiel/json/create/categorie2?id_cat1=*risk id* HTTP/1.1
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=*session id*


The application needs to validate the current user roles and permissions, and guarantee that the user only has access to the expected allowed features and context.

  • With the exception of public resources, deny by default.
  • Log access control failures, alert admins when appropriate (e.g. repeated failures).
  • Rate limit API and controller access to minimize the harm from automated attack tooling.
  • JWT tokens should be invalidated on the server after logout.
  • Developers and QA staff should include functional access control unit and integration tests.

Disclosure Timeline

  • 26-10-2021: Vulnerability disclosed to DeltaRM
  • 28-10-2021: Acknowlegement from vendor
  • 11-12-2021: Fix released by the vendor
  • 10-01-2022: Retest performed, vulnerability fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment