Access the Administrator Settings page with IDOR

Vulnerability title: Access manager settings page with IDOR (no modifications)
Date of discovery: 2025.07.05
Discovery Location (URL or System Path) :

Reolink Firmware Web Page → Session Storage
Vulnerability Type (CWE ID): CWE-639: Authorization Bypass Through User-Controlled Key
Vulnerability Description: A vulnerability was discovered in which a user with regular privileges can access the admin-only settings page by manipulating the account name stored in the session storage. This is due to the server failing to properly verify user permissions, instead relying solely on client-side session storage values. An attacker can edit the session storage and load the admin settings page without any privilege escalation.

Impacted Products/Services: Reolink Firmware Web Interface
Product version: firmware v3.0.0.4662_2503122283
Vulnerable Components:

The system trusts the account identifier stored in client-side session storage and permits access to privileged pages without server-side authorization checks.
Attack Vector

An attacker can use the browser's developer tools to modify the session storage value (specifically the account name) to admin, thereby gaining access to the admin UI without possessing admin rights.
Reproduction Steps
1. Log in with a regular user account.
2. Open developer tools (F12) and go to the "Application" tab to view Session Storage.
3. Among the word1 to word5 values, word4 stores the username (after decryption).
4. Modify the word4 value to admin, which is the default admin username for Reolink.
5. Refresh the page; the UI will update to include admin-only settings.
6. Click the newly visible button to navigate to the admin page — no authorization checks are performed.
Video Proof-of-Concept