Unauthorized Organization Name Change by Any Role
In version 1.2.7, any authenticated user, regardless of their role, can change the organization's name due to improper access control. This issue has not yet been patched.
Available publicly on May 25 2024
Remediation Steps
- Implement the
checkAccess()
function to enforce proper access control on the endpoint responsible for updating organization details. - Define and enforce permissions for the
orgs
resource in the access control configuration. - Conduct a thorough review of other endpoints to ensure similar access control issues do not exist.
- Deploy the updated code to production and notify users of the security fix.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.