Stratonwebdesigners

**Name of the Vulnerable Software and Affected Versions** HireFlow version 1.2 **Description** Incorrect Access Control allows authenticated users to perform horizontal privilege escalation. The application fails to enforce object-level authorization on the "/candidate/<id>" and "/interview/<id>" endpoints. Route handlers retrieve records using the user-supplied `id` without verifying if the requester is the owner or possesses an authorized role, potentially leading to a full data breach of all candidate profiles and interview notes. **Recommendations** Implement object-level authorization checks for the "/candidate/<id>" and "/interview/<id>" endpoints to ensure users can only access records they are authorized to view.