Summary by Indeed
An authorization flaw in the application was identified, where an endpoint for downloading the pdf of a 'public' resume could also be used to download a resume that was set to 'private' if you had a method to enumerate user resume ids.