Medium

lunary

Unauthorized Organization Name Change by Any Role

In version 1.2.7, any authenticated user, regardless of their role, can change the organization's name due to improper access control. This issue has not yet been patched.

Available publicly on May 25 2024

5.3

CVE:

CVE-2024-6086

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Credit:

acciobugs
AssessDetect

Premium

Remediate
Remediation Steps
  • Implement the checkAccess() function to enforce proper access control on the endpoint responsible for updating organization details.
  • Define and enforce permissions for the orgs resource in the access control configuration.
  • Conduct a thorough review of other endpoints to ensure similar access control issues do not exist.
  • Deploy the updated code to production and notify users of the security fix.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.