User can Subscribe a plan that is hidden by manipulating the value of "subscription" parameter at [ https://app.dropcontact.io/app/checkout/]
Medium
D
Dropcontact
Submitted None
Team Summary
Official summary from Dropcontact
When login into dropcontact, going into subscription and clicking on some plan, you have the id of the plan in the url, someone could see hidden plan by changing this parameter
Actions:
Reported by
xploiterr
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Business Logic Errors