connect.8x8.com: Users with no permission can track/access restricted details/data via GET /api/v2/support/requests/<ticket number >HTTP/2
High
8
8x8 Bounty
Submitted None
Team Summary
Official summary from 8x8 Bounty
@emperor reported to us an issue where information about our internal support agents were visible via `/api/v2/support/requests/<ticket number>`. Our team put additional Access Control checks in place, which resolved the issue.
Actions:
Reported by
emperor
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Information Disclosure