an attacker can access data from other organizers
Proof of Concept
user1 belongs to org1 and creates event1user2 belongs to org2 and creates event2user2 requests the e-mail log: GET /admin/api/event/event2/email/?page=0&search= HTTP/1.1user2 replaces event2 with event1 and re-runs the request: GET /admin/api/event/event1/email/?page=0&search= HTTP/1.1user2 receives email log from event1 which belongs to another organization
an attacker can access data from other organizers
Proof of Concept
user1belongs toorg1and createsevent1user2belongs toorg2and createsevent2user2requests the e-mail log:GET /admin/api/event/event2/email/?page=0&search= HTTP/1.1user2replacesevent2withevent1and re-runs the request:GET /admin/api/event/event1/email/?page=0&search= HTTP/1.1user2receives email log fromevent1which belongs to another organization