IDOR on deleting drafts on https://apps.topcoder.com/wiki/users/viewmydrafts.action via discardDraftId parameter
Medium
L
Lab45
Submitted None
Actions:
Reported by
meryem0x
Vulnerability Details
Technical details and impact analysis
Hi :)
On https://apps.topcoder.com/wiki/users/viewmydrafts.action, you can see your drafts, edit or delete them. Users can delete their own drafts on `https://apps.topcoder.com/wiki/users/viewmydrafts.action?discardDraftId=<DRAFT_ID>`.
But there is no check and an attacker can change `discardDraftId` and delete all drafts.
## Impact
An attacker can delete other user's drafts.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Insecure Direct Object Reference (IDOR)