IDOR in Team Members API Exposes Private Emails and Roles of Any Team

Disclosed by
SamSazzad
Summary by SamSazzad

Summary:
An Insecure Direct Object Reference (IDOR) vulnerability was identified in the team management feature of globe.gov. By manipulating the orgId parameter, an attacker could access member information — including email addresses and role details — from teams they were not part of.
This exposure could lead to unauthorized disclosure of Personally Identifiable Information (PII) and targeted phishing.

Activity