Ahmyth

**Name of the Vulnerable Software and Affected Versions** eyecomms eyeCMS versions prior to 2019-10-15 **Description** The issue allows any candidate to modify other candidates' personal information, including first name, last name, email, CV, phone number, and other details, by altering the `id` parameter. This is an Insecure Direct Object Reference (IDOR) vulnerability. **Recommendations** For versions prior to 2019-10-15, as a temporary workaround, consider restricting access to the `id` parameter to prevent unauthorized changes to candidate information. Additionally, avoid using the `id` parameter in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eyecomms eyeCMS versions prior to 2019-10-15 **Description** A mass assignment issue allows any candidate to take over another candidate's account by exploiting a modified `candidate id` and an additional `password` parameter, resulting in the password of the targeted candidate being changed. **Recommendations** For versions prior to 2019-10-15, consider restricting access to the account management functionality to prevent exploitation until a fix is available. Avoid using the `password` parameter in conjunction with a modified `candidate id` to minimize the risk of account takeover.