FS#258 : Bug Report - IDOR Allows to Raise Closure Request To a Different User Task

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by BugFinder - 06.12.2025
Last edited by cbay - 08.12.2025

FS#258 - Bug Report - IDOR Allows to Raise Closure Request To a Different User Task

Description: User A can raise a Closure Request to user B's task.

Steps to Reproduce: 1. Create two accounts A and B in Bug Tracking Interface.
2. From each account create a task.
3. Now turn of Burp Suite intercept, from account A click on "Request Closure" and enter a reason, then submit.
4. Change the task id of user A to user B's everywhere in the request, intercept response, then click forward.
5. Will see status code "200 OK" confirming the request has been made, turn off intercept.
6. Now go to account B see the request is successful and the reason is also added as shown in POC-4.png.

For any further information please let me know.

Regards,

POC-1.png (60.6 KiB)

POC-2.png (44.2 KiB)

POC-3.png (105.8 KiB)

POC-4.png (91.9 KiB)

Closed by cbay
08.12.2025 08:21
Reason for closing: Invalid

Comments (2)
Related Tasks (0/0)

cbay commented on 08.12.2025 08:21

Hello,

That would be a vulnerability in Flyspray, you should report it to them. Vulnerabilities from third party applications are excluded from our bug bounty program.

Kind regards,
Cyril

BugFinder commented on 08.12.2025 09:00

Ok thanks I have reported it them.

Regards,
Sourish

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task