High

lunary

Improper Access Control Allowing Unauthorized Project and User Manipulation

A vulnerability in version 1.2.4 allows users with team management permissions to manipulate project and user assignments across different organizations due to improper backend validation. This issue was patched in a subsequent release.

Available publicly on Jun 07 2024

7.4

CVSS:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Credit:

acciobugs
Threat Overview

The vulnerability arises from improper validation of project and user identifiers in the backend. This allows a user with team management permissions to invite users to projects in other organizations, change members to projects in other organizations, and escalate privileges. The attacker must first obtain valid user and project identifiers. The lack of validation leads to inconsistencies in the platform and unauthorized privilege escalation.

Attack Scenario

An attacker with team management permissions logs in and obtains the necessary authorization token. By manipulating the project identifier in the request, the attacker can invite users to projects in other organizations, change members to projects in other organizations, and escalate their privileges. This can cause significant inconsistencies and unauthorized access within the platform.

Who is affected

Users with team management permissions in version 1.2.4 who can manipulate project and user assignments. Organizations using this version are at risk of unauthorized access and privilege escalation.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.