Cross-Organization Dataset Prompt Manipulation Vulnerability
A vulnerability in version 1.2.13 of a software allows users to manipulate dataset prompts across different organizations without proper authorization. This issue enables unauthorized creation, update, deletion, and retrieval of dataset prompt information. The vulnerability was identified in the software's handling of project IDs and prompt variation IDs, lacking proper validation against the user's organization. It was patched in the subsequent release.
Available publicly on Jun 09 2024
Remediation Steps
- Update to the latest version of the software that includes the patch for this vulnerability.
- Review and strengthen access control checks across all API endpoints, ensuring that operations on dataset prompts and variations are properly validated against the user's organization.
- Implement additional logging and monitoring to detect and alert on unauthorized access attempts.
- Conduct a thorough audit of existing datasets and prompt variations to identify and rectify any unauthorized modifications.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.