IDOR in backup recovery functionality allowed an authenticated attacker knowing user's machine UUID, backup ID and some other parameters to configure and run recovery plan. We have seen no signs of the exploitation of this vulnerability.

Actions:

View on HackerOne

Reported by theelgo64

Vulnerability Details

Technical details and impact analysis

## Summary Hi team I hope you are well, there is an issue let me to takeover any backup via recover it to my machine. ## Steps To Reproduce 1. Login https://mc-beta-cloud.acronis.com 2. Visit the DEVICES section [you must have 2 devices] 3. Click on any device has a backup [device_1] 4. Click on recovery > select machine > select the second machine [device_2] 5. follow the steps to recover the backup to [device_2] 6. In the burp search for this endpoint ```/bc/api/ams/recovery/plan_operations/run``` 7. Send the request again via ==X-Apigw-Session== session from another organization. ## POC {F2222128} ## Impact - Backup Takeover via recovery function.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved