An authenticated Insecure Direct Object Reference (IDOR) vulnerability allows users to access and potentially modify unauthorized profiles by manipulating API parameters.

This vulnerability is an IDOR flaw located in a specific API endpoint. It allows an authenticated user to pivot to other user profiles by simply modifying the 'id' number within the API call, bypassing intended access controls.

The impact of this vulnerability includes unauthorized access to sensitive user information and potential account takeovers. With a CVSS score of 9.1, this is a critical risk as it allows lateral movement between user accounts. This could lead to significant privacy violations, regulatory non-compliance, and loss of customer trust.

Immediate Action: Apply the latest security patches provided by the vendor to enforce proper authorization checks on all API endpoints.

Proactive Monitoring: Review API access logs for patterns of sequential ID requests or requests for IDs that do not match the authenticated user's session.

Compensating Controls: Deploy an API gateway or WAF capable of performing deep packet inspection to validate that the requested resource ID matches the user's authorization token.

Public Exploit Available: false

Although this vulnerability requires authentication, the ability to access any user profile makes it a critical threat. Organizations should immediately update the affected software to the latest version. Developers should ensure that all resource requests are validated against the current user's session permissions to prevent future IDOR occurrences.