A second deep security sweep found and remediated an IDOR, an SSRF, and a stored HTML injection — all rated high severity.
Following the first security hardening sprint, a second structured audit of the Intellixer portal and API surface identified three high-severity vulnerabilities. All were remediated and verified in the same sprint.
| ID | Severity | Class | Description | Fix |
|---|---|---|---|---|
| SEC-I013-01 | HIGH | IDOR | Insecure Direct Object Reference in /keys/create — an authenticated user could provision keys against a different user's account by supplying a foreign uid in the request body | Server-side uid sourced exclusively from the verified Firebase session token; request body value ignored and stripped |
| SEC-I013-02 | HIGH | SSRF | Server-Side Request Forgery via WeasyPrint PDF renderer — a crafted invoice template could trigger outbound HTTP requests from the GCE VM to internal GCP metadata endpoints | WeasyPrint URL fetching disabled; all external assets inlined at template-render time; metadata endpoint blocked at the GCE network policy layer |
| SEC-I013-03 | HIGH | Stored XSS | Stored HTML injection in organization display names — unsanitised org names were rendered into portal HTML, enabling persistent script injection for any member of that organization | Server-side HTML entity encoding applied on write; existing stored values back-filled via migration; CSP header tightened to block inline script execution |
The audit followed OWASP Top 10 (2021) methodology with manual review of all authenticated endpoints, output encoding paths, and server-side request flows. No findings from the first audit remain open. No new findings remain unpatched.