Can you explain this vulnerability to me?

This vulnerability is an insecure direct object reference (IDOR) in MphRx's Minerva version 3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint.

It allows an authenticated user to modify the information of other registered users.

For example, an attacker can change another user's email address and then request a new password for that user via the '/webconnect/#/forgotPassword' endpoint.

This can lead to a complete takeover of other users' accounts.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can have severe impacts including unauthorized modification of user information.

An attacker who exploits this flaw can take over other users' accounts by changing their email addresses and resetting their passwords.

This compromises user privacy and security, potentially leading to data breaches, loss of trust, and unauthorized access to sensitive information.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an authenticated user to modify other users' information, including email addresses, and potentially take over accounts. This unauthorized access and modification of personal data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Specifically, the ability to alter user profiles and request password resets without proper authorization undermines data integrity and confidentiality, key principles in these regulations.

Useful 0 Not Useful 0