We found results for “


Date: December 29, 2021


There is an improper access control issue which makes it possible for admins to self ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme.

PoC Details

In the private window, access the application by going to http://localhost:3000/users/sign_in and login with credentials of a normal user. Go to http://localhost:3000/allies and search for the admin’s email address. Now, press on “Add to allies” for the admin profile. In the normal window login as admin and accept the ally request. Now in the private window, as the normal user, go to Ally > Admin profile and then click report > add some reason and submit it. Go back to the normal window as admin, go to http://localhost:3000/admin_dashboard and click “Ban User” over Admin User. We see that the admin account gets deactivated from the account and can’t be recovered.

Affected Environments



Update to version v7.32.1 or later

Language: Ruby

Good to know:


Improper Access Control


Upgrade Version

Upgrade to version v7.32.1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): Partial
Additional information: