Improper Access Control allows OTP bypass
Medium
L
Lark Technologies
Submitted None
Team Summary
Official summary from Lark Technologies
By directly navigating to the Admin Log download endpoint, the OTP requirement being sent to the user's email could be bypassed and users within the organization could access Admin Logs without verifying their identity. We thank @kongwenbin for reporting this to our team and confirming its resolution.
Actions:
Reported by
kongwenbin
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Improper Access Control - Generic