Potential security issue with file endpoint

Forum for users and developers of Bullhorn's API service.

Moderators: StaffingSupport, s.emmons, BullhornSupport

Post Reply
Posts: 2
Joined: Thu Jan 09, 2020 5:05 am

Potential security issue with file endpoint

Post by anovak »


I have noticed that GET file endpoint can retrieve any file even if candidate id and file id do not match.
Can someone confirm me if this in on purpose? Why we need to enter candidate id if we can retrieve file with just file id?
http://bullhorn.github.io/rest-api-docs/#get-file .

Example: curl https://rest.bullhornstaffing.com/rest- ... e/3835/231

Candidate 3835 do not need to match to file id 231 to get this file.

Thank you,
Post Reply