CVE-2026-23843
IDOR Vulnerability in teklifolustur_app Allows Unauthorized Offer Access
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sibercii6-crypto | teklifolustur_app | to 7bc1fb0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to access offers belonging to other users due to missing authorization checks, leading to unauthorized disclosure of sensitive data. This high confidentiality impact could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal or sensitive information. [1]
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in the teklifolustur_app web application. It allows authenticated users to manipulate the 'offer_id' parameter in the offer view functionality to access offers that belong to other users. The root cause is missing authorization checks that fail to verify whether the requested offer actually belongs to the currently authenticated user, enabling unauthorized access to sensitive data. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to other users' offers, exposing sensitive information. Since the confidentiality impact is high, attackers can view data they should not have access to. The integrity impact is low, and availability is not affected. This means your sensitive client quotes and related data could be viewed by unauthorized users if the vulnerability is exploited. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access offer details with manipulated offer_id parameters while authenticated as a user. For example, using curl commands to send HTTP GET requests to the offer view endpoint with different offer_id values and observing if unauthorized offers are accessible. A sample command could be: curl -i -b cookies.txt 'https://yourserver/view_offer.php?offer_id=123' where cookies.txt contains authenticated session cookies. If the response returns offer details for offer_id values not owned by the authenticated user, the system is vulnerable. Monitoring logs for unusual access patterns or unauthorized access attempts to offer resources can also help detect exploitation. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch from commit dd082a134a225b8dcd401b6224eead4fb183ea1c which enforces strict authorization checks ensuring that only the owner of an offer can access it. Specifically, ensure that the application verifies the authenticated user's identity, validates the offer_id parameter securely, and checks that the offer belongs to the authenticated user before granting access. If patching is not immediately possible, restrict access to the offer view functionality to trusted users only and monitor for suspicious activity. Additionally, review session management and input validation to reduce risk. [2]