31Ara
IDOR or something else?
While analyzing a web application, I identified a path of the type https://example/remove/123, which allows a user with lower privileges to remove a report created by a user with higher privileges. In theory, the user with lower privileges shouldn't even be able to view this report, but in reality, they can even delete it by knowing the appropriate ID and path. That said, can this issue be included in IDOR, or should I break it down into two vulnerabilities, such as IDOR and broken access control?
