Vulnerability Type: Broken Function Level Authorization (BFLA) Affected Software: coco-annotator v0.11.1 Description: - An attacker can delete categories created by other users via a DELETE request to the endpoint without any ownership or permission checks. - No authentication is required to ensure the requester is the original creator or has elevated permissions. Vulnerable Endpoint: - Host: Impact: - Any authenticated user can delete categories created by other users. - Lack of verification leads to data integrity issues, potential denial of service, or abuse in multi-tenant environments. Steps to Reproduce: 1. Log in as User A and create a category. 2. Log in as User B (a separate, normal user). 3. Send the following request as User B: - 4. The category created by User A is deleted by User B. Source: - https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20CO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20CO%20Annotator%20in%20DELETE%20api%20undo%20r2f1ef09b8736807aa1f7ede4b640a35d.md