Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3370430 by hossam25
A Broken Access Control vulnerability allows users to change project visibility — a feature restricted to higher subscription tiers — by simply modifying the request body of visibility to Personal or Workspace. This bypasses subscription checks, enabling unauthorized access to premium functionality
https://lovable-api.com/workspaces/{YOUR-WORKSPACE-ID}/projects{"description":"landing view","visibility":"Personal","initial_message":{"id":"umsg_01k6qkw83ze07t9f7m9p3jabs9","message":"landing view","files":[],"optimisticImageUrls":[],"chat_only":false,"agent_mode_enabled":false,"ai_message_id":"aimsg_01k6qkw841e07t9f7ytpghd6bs"}}
pyus3rA vulnerability was identified where an authenticated user could disable Multi-Factor Authentication (MFA) on their own account by modifying hidden account attributes through a backend API endpoint. This allowed subsequent logins without an MFA prompt, effectively bypassing the security control and increasing the risk of unauthorized access in the event of credential compromise.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3543475 by xavlimsg
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3020021 by adilnbabras
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In