godot-asset-library
godot-asset-library copied to clipboard
Unauthorized Access to pending Assets through enumeration
~~https://godotengine.org/asset-library/asset/edit/9752~~ <- this has since been approved You should not be able to see details of a pending asset. Yet you can, ~~by following the link above. I could have found that link~~ through enumeration, since the db uses incrementing numeric ids.
As you can see, I am not logged in, yet able to view this pending asset
This is a security risk in 2 scenarios:
- A malicious asset could be presented as legitimate since it's accessible on the official asset lib. There's nothing on the page to suggest that this is not approved.
- (less likely) A malicious actor finds a pending asset with sensitive info accidentally left in there