Hi Talhah,
Security is often overlooked by developers. Everyone should know that access rules should be carefully applied to all entities. Although overview pages may not exist, one can access any record in the database if not restricted correctly, as reveiled by the pentest. In that way, you can still do all the actions the testers did, but only have access to records you are allowed to access.
So, what to do?
If you have any further questions or concerns, let me know!
Good luck! Johan
This sounds like you've not configured your application security properly.
Security is a big topic, but an obvious thing to check is that individual users have XPath Constraints applied to their role that limit access to data only to that specific user. You can give admin users more powerful roles that have the ability to access other's details if necessary.
I suggest refreshing yourself with Access Rules in the Mendix documentation as it covers how to do this.
https://docs.mendix.com/refguide/access-rules/
You may also want to look at the Configure Advanced Security learning path in the Mendix Academy as it covers this topic in greater depth.
https://academy.mendix.com/link/paths/9/Configure-Advanced-Security
Good luck!