Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by mudhaxk - 12.07.2024
Last edited by cbay - 12.07.2024

Summary:

A vulnerability was discovered where a user with an existing account is not sent an invitation link when added to an organization, potentially leading to confusion and unauthorized access.

Impact:

- User unable to access organization resources
- Potential unauthorized access to sensitive information
- Increased risk of account takeover

Expected Result:

- User with an existing account should receive an invitation link to join the organization
- User should be prompted to accept the invitation and join the organization

Actual Result:

- No invitation link is sent to the user
- User is not prompted to accept the invitation and join the organization

Severity according to CVSS 3:

- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Sensitivity (S): Medium (M)
- Confidentiality (C): Medium (M)
- Integrity (I): Medium (M)
- Availability (A): Medium (M)

CVSS 3 Score: 6.5 (Medium)

Steps to Reproduce:

1. Add a user with an existing account to an organization
2. Observe no invitation link being sent to the user
3. Verify the user's inability to access organization resources

Recommended Fix:

1. Implement automatic invitation link sending for existing users
2. Ensure users receive a prompt to accept the invitation and join the organization
3. Validate user accounts and organization membership to prevent unauthorized access

Conclusion:

This vulnerability poses a medium risk to user access and organization security. Implementing automatic invitation link sending for existing users will ensure proper access and prevent unauthorized access attempts.