Pending certificates still accessible after creation

[joeinfor7685]

Pending certificates are still accessible after the certificate has been created, this creates an Insecure Direct Object Reference (IDOR).

When a certificate is in the Pending state it is visible in the web application. When the automated job finishes the certificate is either rejected and removed from that list or is added to the Certificates tab.

Pending certificates can still be accessed if the ID value in the URL is updated when accessing the API end point. This can be done as either an Admin or a Read-Only user.

---

The referenced issue was found via a pen test conducted in collaboration with Infor and Cobalt.io