Ins0

Name of the Vulnerable Software and Affected Versions: Shinobi through ocean version 1 Description: An issue was discovered in the lib/auth.js file, where Incorrect Access Control allows attackers to bypass API key validation. By utilizing JavaScript Proto Method names, such as `constructor` or `hasOwnProperty`, an attacker can trick the system into believing a supplied API key is valid, thus gaining complete access to User, Admin, and Super API functions. This can be achieved through API endpoints like "/super/constructor/accounts/list". Recommendations: For Shinobi through ocean version 1, consider restricting access to the `lib/auth.js` file and limiting the use of JavaScript Proto Method names to prevent exploitation until a proper fix is implemented. As a temporary workaround, restrict access to sensitive API endpoints, such as "/super/constructor/accounts/list", to minimize the risk of unauthorized access.