An attacker can submit arbitrary projects to their service accounts and obtain full information on projects of other users.

An IDOR issue was discovered in the Request Services feature, where an attacker can gain access to project details of other users by submitting work project requests. Henceforth, an attacker can obtain the details of project submitted to other service providers and submit their own proposals to the victim(owner of the project). We have resolved the issue on priority and paid a bounty to researcher.