The vulnerability allowed unauthenticated attackers to read the internal admin's full sessions, HTTP requests data, and other internal information through the error logging endpoint. The vulnerability was found on the subdomain https://proze.yelp.com/, which hosted an internal administration tool called Tailored Mail. The error logging endpoint at /tmwebapi/elmah.axd provided access to detailed logs containing sensitive…Read More
Yelp: Object Level access control leads to reading user’s full requests, sessions, and error messages
