Unauthorized API Access to Search Page Functions
In version v0.3.94 of the software, an issue was discovered where the back-end does not verify the visibility status of the search page, allowing attackers to access its functionalities via API calls. This vulnerability has not yet been patched.
Available publicly on Oct 12 2024
Threat Overview
The vulnerability allows attackers to bypass the visibility restrictions set by administrators on the search page. By directly calling the API endpoint associated with the search page, attackers can access its functionalities even when the page is set to be invisible. This can lead to unauthorized access to sensitive information and potential misuse of the search functionalities.
Attack Scenario
An attacker identifies the API endpoint for the search page functionality and captures the necessary request details using tools like Burp Suite. They then craft a valid API request and send it directly to the server, successfully accessing the search page functions despite the page being invisible to regular users.
Who is affected
Users of the software version v0.3.94 who rely on the visibility restrictions of the search page to control access to its functionalities are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.