### Vulnerability Overview - **Vulnerability Type**: Potential Internal Object ID (IDOR) vulnerability - **Description**: The `updated_answer_questionnaire` view in `dojosurvey/views.py` allows anonymous access even when the `anonymous_survey_response` setting is enabled. This could allow unauthorized users to guess the IDs of survey participants, thereby accessing other users' survey data. ### Scope of Impact - **Affected File**: `dojosurvey/views.py` - **Specific Location**: `updated_answer_questionnaire` view - **Potential Risk**: Unauthorized users can access other users' survey data, leading to data leakage. ### Remediation - **Recommended Measure**: Ensure that the `updated_answer_questionnaire` view only allows access when the user is authenticated, even if the `anonymous_survey_response` setting is enabled. - **Specific Steps**: 1. Review the code for the `updated_answer_questionnaire` view. 2. Add user authentication checks to ensure that only authenticated users can access this view. 3. Test the patched code to ensure that anonymous access is correctly blocked. ### POC Code ```python # dojosurvey/views.py def updated_answer_questionnaire(request, id): # Current code may be vulnerable pass ``` ### Additional Information - **Pull Request**: [Refactor get_object_or_404 calls for Engagement and Engagement_Presets #14375](https://github.com/DefectDojo/django-DefectDojo/pull/14375) - **Commenter**: dryrunsecurity - **Comment Time**: February 25, 2023 ### Summary This vulnerability involves the `updated_answer_questionnaire` view in `dojosurvey/views.py`, which allows anonymous access and may enable unauthorized users to access other users' survey data. It is recommended to add user authentication checks to fix this vulnerability.