Hi, I'm Merroun Lahcen from DevSecure — we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.
Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning — helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.
this is critical because its a full access to PII information including emails for all customers in company database even its not in my tenant or Context
and i access it with low privilige a admin user with no access to any data for his tenant can access to all of thats
POC
1/ log in here https://admin.company.com/ as admin
2/ go to https://admin.company.com/user/details/linkedusers
3/ you can see in the burpsuit a url request to api
GET /api/rest/user/details/linkedUsers?start=0&limit=100 HTTP/1.1
Host: api.company.com
get the cookies from this request we will use theme in the next request or just replace (/user/details/linkedUsers?start=0&limit=100) with (/user/details/110?limit=50 HTTP/1.1)
3/ from this endpoint and using your cookie you can get user information including email addresse
for a user with id 110
GET /api/rest/userdetails/110?limit=50 HTTP/1.1
Host: api.company.com
now you can access to any user in company database
this is my id
1133224
i try it with some ids as POC
any hacker can enumerate full db in just 1 HOUR
and as a admin you can try this with other admin with no access ( with his cookie) to any thing in the company and stel have access to full company users info in db
Impact
PII CUSTOMERS INFORMATION DISCLOSURE
Platform : Intigriti
Timeline :
Reported: 10/02/2023
Triaged: 13/02/2023
Accepted & paid: 13/02/2023
Bounty: €3,000