High

lunary

Cross-Organization Prompt Deletion via ID Manipulation

A vulnerability in version 1.2.13 allowed users to delete prompts from other organizations by manipulating request parameters. This issue was patched in version 1.2.25.

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

acciobugs
Threat Overview

The vulnerability arises from insufficient granularity in access control checks, allowing users to delete prompts from other organizations by manipulating request parameters. Specifically, the backend API does not validate the ownership of the prompt being deleted, only checking if the user has permissions to delete such resources. This can lead to unauthorized deletion of prompts, causing data inconsistencies and loss of information for legitimate users.

Attack Scenario

An attacker logs in as a user from Organization A and adds a prompt. They then log in as a user from Organization B in a separate session, intercept the DELETE request for the prompt, replace the access token with that of the user from Organization B, and remove the projectId parameter. This allows the attacker to delete the prompt from Organization A, causing data loss and inconsistencies.

Who is affected

Users and organizations using version 1.2.13 of the software are affected. Specifically, any organization that relies on the integrity of their prompts and datasets is at risk.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.