Minical 1.0.0 is vulnerable to IDOR .

Vendor: https://github.com/minical/minical

Demo Application: https://demo.minical.io/

Step 1: I have created two user accounts user A (hacker) then user B (walker-448)

Step 2: Go to the User B account then Navigate to the Accounting module and then click on any ID.

Step 3: Now, click on "Edit Profile". Enter the desired value in the Name field, then click "Update" and capture the request using Burp Suite.

Step 4: Now send the request to intruder.

Step 5. Now, set the payload position in the "customer_id" parameter then enter the HTML payload in the "customer_data[customer_name]" parameter, and then click on 'Start Attack.

Step 6: Now, refresh the browser for user A. As can be observed, we successfully updated user A's details, as shown in the POC below.