Closed
Bug 1496994
Opened 7 years ago
Closed 7 years ago
Mozilla Django Rest Framework Root API Publicly Disclosure ON https://normandy.cdn.mozilla.net
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: aryanrupala7, Unassigned)
References
()
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Summary :
https://normandy.cdn.mozilla.net Allow Any User To Access The Django Rest Framework Root API Which Allow Attacker to view that lists the urls passed to it via api_urls.
Steps To Reproduce
1. Navigate To https://normandy.cdn.mozilla.net/api/v1
2. Attacker Simply Change The api version on url and view that lists the urls passed to it via api_urls.
Impact
Attacker Could view that lists the urls passed to it via api_urls Whic Leads to Private Imforation Leakage Of Mozilla Api Services.
Flags: sec-bounty?
|
||
Comment 1•7 years ago
|
||
Thanks for your report, but this is very much the intent.
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•