Summary

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Purchase Order cancellation endpoint at service-goauth.mokapos.com.
An authenticated user can cancel another user’s Purchase Order by replacing the PO ID in the cancellation request.

The server does not verify ownership or authorization of the targeted PO resource.

Affected Endpoint

PUT /purchase-order/v1/ingredient-purchase-order/{PO_ID}/cancel

Users

• User A — Victim
• User B — Attacker

Steps to Reproduce

1. User A logs in to https://backoffice.mokapos.com
2. Navigate to INVENTORY → Purchase Order (PO)
3. Create a new Purchase Order and note the PO ID
4. User B logs in to https://backoffice.mokapos.com
5. Navigate to INVENTORY → Purchase Order (PO)
6. Create a PO
7. Open the PO detail page → Click More → Cancel PO while intercepting the request
8. The following request is captured:

PUT /purchase-order/v1/ingredient-purchase-order/USER_B_PO_ID/cancel HTTP/2
Host: service-goauth.mokapos.com
Authorization: ATTACKER_TOKEN
Outlet-Id: 1141719
Content-Length: 0

9. Replace USER_B_PO_ID with User A’s PO ID
10. Send the modified request
11. Server responds with:

200 OK

12. When User A refreshes the page, the PO status changes from
“Waiting for Fulfillment” → “Cancelled”

Impact

• Unauthorized cancellation of other users’ Purchase Orders
• Business logic abuse and operational disruption
• Potential financial loss due to cancelled procurement workflows

Timeline

February 5, 2026: Submit Report
February 5, 2026: Under Review
February 8, 2026: Out of Scope