Askbot 0.12.2 - Insecure Direct Object Reference (IDOR)

Description

All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This is possible because the application does not properly validate user authorization when handling profile avatar updates. By intercepting and modifying the POST request used to change the profile picture, an attacker can alter the user_id parameter and update the avatar of any user in the application. The issue occurs in the avatar_view.py file, specifically in the admin_or_owner_require.

Vulnerability

This vulnerability occurs because the application is vulnerable to Insecure Direct Object Reference (IDOR). The admin_or_owner_required function incorrectly validates user permissions by comparing the authenticated user ID with a user_id value supplied by the client, which can be manipulated. As a result, the application fails to enforce proper access control, allowing unauthorized users to perform actions on resources belonging to other users.

PoC

Evidence of Exploitation

Our security policy

We have reserved the ID CVE-2026-1213 to refer to this issue from now on.

Disclosure policy

System Information

• Askbot

• Version 0.12.2

• Operating System: Any

References

• Github Repository: https://github.com/ASKBOT/askbot-devel

• Patch: https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d

Mitigation

An updated version of Askbot is available at the vendor page.

Credits

The vulnerability was discovered by Daniel Celis, an independent security researcher.