Description
Authorization defines the concept of controlling access to resources. Only those users or user profiles  that  need  access  to  information  should  have  access  to  it.  Incorrect  authorization management can allow users to access restricted functionalities, to which only a certain group of users should have access, or access to other users private information. 
During this pentest, it has been detected that in the rating functionally, more concretely,  /api/ros/v1/rating, is possible to modify the rating of the system that doesn’t belong to that user.

Impact
This vulnerability allows users to modify the rating of systems from other organizations, and as reported in the previous pentest (RHIROS-400), also enumerate systems from other organizations. Rating is altered therefore this vulnerability impacts confidentiality and integrity.

Recommendations
To avoid the risk associated with this vulnerability, it is recommended to implement an adequate authorization mechanism within the overall service, especially in the private part, checking the access rights of the user associated with the session before accessing any resource or information.

References
https://cwe.mitre.org/data/definitions/285.html
https://portswigger.net/web-security/access-control/idor