IDOR in Undocumented Method of JetBrain's YouTrack

We discussed this vulnerability during Episode 79 on 06 September 2021

When looking into the API internals of JetBrain’s YouTrack, the author discovered an undocumented endpoint for getting issue descriptions without any styling or markdown. This endpoint was not protected with role validation or any user authentication at all, likely because it’s only meant to be used internally. Any user could leak any issue’s description even if they didn’t have access to view it, including past reported (but potentially unfixed) security issues. The issue IDs look fairly guessable, so this bug would be easy to take advantage of.