- Status Closed
-
Assigned To
cbay - Private
Opened by mudhaxk - 12.07.2024
Last edited by cbay - 12.07.2024
FS#56 - Unauthorized Organization Creation
Summary:
A vulnerability was discovered where a user who is not given permission on invite is still able to create a new organization, potentially leading to unauthorized access and data breaches.
Impact:
- Unauthorized access to sensitive information
- Potential data breaches
- Increased risk of account takeover
Expected Result:
- User without permission should not be able to create a new organization
- User should only be added to the organization with proper permission
Actual Result:
- User without permission is given a new organization on accepting invite
- User is added to the new organization with unnecessary permissions
Steps to Reproduce:
1. Invite a user without permission
2. Observe the user creating a new organization
3. Verify the user's unnecessary permissions in the new organization
Recommended Fix:
1. Implement permission checks to prevent unauthorized organization creation
2. Ensure users are only added to organizations with proper permission
3. Validate user permissions on each request to prevent abuse
Conclusion:
This vulnerability poses a critical risk to sensitive information and user accounts. Implementing proper permission checks and validation will prevent unauthorized access and ensure the security and integrity of user accounts.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
We don't have any concept of "organization", so I don't know what you're referring to.
Kind regards,
Cyril
Hello,
Sorry for the misunderstanding. I attached a screenshot of what I mean.
https://drive.google.com/file/d/13eqgLZ_X24pHJ5m0qdVbJThiZTWytGMB/view?usp=sharing
So you mean "account". Just because someone gave you access to its own account doesn't mean you cannot create your own account. There's no security issue here.
Yes and if I accept access to the account I won't be added to the account because I wasn't given any permission on invite, so on accepting the invitation I will only be creating a new account.