It was found that Ipsilon does not check whether a user is authorized to delete a service provider. This makes it possible for any authenticated user to delete any service provider, causing a denial of service.
The vulnerable code is at:
This has been fixed with 9dec97c
Releases 1.0.2 and 1.1.1 have been released to resolve this.
keywords: => security
milestone: => 1.2
resolution: => fixed
status: new => closed
type: defect => Security
Metadata Update from @puiterwijk:
- Issue assigned to puiterwijk
- Issue set to the milestone: 1.2
- Issue tagged with: security
to comment on this ticket.