Horizontal privilege escalation
When a request is intercepted through an interceptor and the request parameter user ID updated, the label change reflects on the user portal.
Steps to Reproduce
- Log in to the application using the Pharmacist account.
- Click My Profile.
- Capture the request through the proxy interceptor.
- Modify the preActivityParams parameter in the request.
- Replace UserID%3Astgcallct with UserID%3Astgcallctrmgr. Manager profile displays with the user (Pharmacist) account.
The user name was sent as a parameter in the generated request making it susceptible to Cross-Site Scripting (XSS). As a result, the username was changed and details of other users was retrieved.