Unauthorized Organization Name Change by Any Role
In version 1.2.7, any authenticated user, regardless of their role, can change the organization's name due to improper access control. This issue has not yet been patched.
Available publicly on May 25 2024
Threat Overview
The vulnerability arises from the lack of proper access control checks in the endpoint responsible for updating organization details. Specifically, the checkAccess()
function is not implemented, allowing any authenticated user to send a PATCH request to change the organization's name. This can lead to unauthorized modifications and potential misuse of organizational data.
Attack Scenario
An attacker with the lowest privilege role, such as a Prompt Editor, logs into the platform and obtains an authorization token. Using this token, the attacker sends a crafted PATCH request to the endpoint responsible for updating organization details. The request successfully changes the organization's name, which is then reflected across the platform wherever the organization's name is displayed.
Who is affected
All users of the platform, especially those with administrative responsibilities, are affected by this vulnerability. Any authenticated user, regardless of their role, can exploit this issue to change the organization's name.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.