All Projects

Summary:

A vulnerability was discovered where a user with an existing account is not sent an invitation link when added to an organization, potentially leading to confusion and unauthorized access.

Impact:

- User unable to access organization resources
- Potential unauthorized access to sensitive information
- Increased risk of account takeover

Expected Result:

- User with an existing account should receive an invitation link to join the organization
- User should be prompted to accept the invitation and join the organization

Actual Result:

- No invitation link is sent to the user
- User is not prompted to accept the invitation and join the organization

Severity according to CVSS 3:

- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Sensitivity (S): Medium (M)
- Confidentiality (C): Medium (M)
- Integrity (I): Medium (M)
- Availability (A): Medium (M)

CVSS 3 Score: 6.5 (Medium)

Steps to Reproduce:

1. Add a user with an existing account to an organization
2. Observe no invitation link being sent to the user
3. Verify the user's inability to access organization resources

Recommended Fix:

1. Implement automatic invitation link sending for existing users
2. Ensure users receive a prompt to accept the invitation and join the organization
3. Validate user accounts and organization membership to prevent unauthorized access

Conclusion:

This vulnerability poses a medium risk to user access and organization security. Implementing automatic invitation link sending for existing users will ensure proper access and prevent unauthorized access attempts.

Summary:

A vulnerability was discovered where the delete account functionality lacks password confirmation and is vulnerable to GET-based CSRF, potentially allowing attackers to delete accounts without authorization.

Impact:

- Unauthorized account deletion
- Potential data loss
- Increased risk of account takeover

Expected Result:

- Password confirmation should be required to delete an account
- CSRF protection should prevent unauthorized requests

Actual Result:

- No password confirmation is required to delete an account
- GET-based CSRF vulnerability allows unauthorized account deletion

Steps to Reproduce:

1. Login to the application
2. Trick the user into clicking a malicious link to delete their account: https://admin.alwaysdata.com/admin/details/1/delete 3. User click submit
4. Observe the account being deleted without password confirmation

Recommended Fix:

1. Implement password confirmation requirement for delete account functionality
2. Implement CSRF protection for delete account functionality
3. Validate requests to prevent unauthorized account deletion

Conclusion:

This vulnerability poses a critical risk to user accounts and data. Implementing password confirmation and CSRF protection for delete account functionality will prevent unauthorized account deletion and ensure the security and integrity of user accounts.

Summary:
A vulnerability was discovered where a user who is not given permission on invite is still able to create a new organization, potentially leading to unauthorized access and data breaches.

Impact:

- Unauthorized access to sensitive information
- Potential data breaches
- Increased risk of account takeover

Expected Result:

- User without permission should not be able to create a new organization
- User should only be added to the organization with proper permission

Actual Result:

- User without permission is given a new organization on accepting invite
- User is added to the new organization with unnecessary permissions

Steps to Reproduce:

1. Invite a user without permission
2. Observe the user creating a new organization
3. Verify the user's unnecessary permissions in the new organization

Recommended Fix:
1. Implement permission checks to prevent unauthorized organization creation
2. Ensure users are only added to organizations with proper permission
3. Validate user permissions on each request to prevent abuse

Conclusion:

This vulnerability poses a critical risk to sensitive information and user accounts. Implementing proper permission checks and validation will prevent unauthorized access and ensure the security and integrity of user accounts.

Summary:

A vulnerability was discovered where the session is not invalidated when permissions are changed, potentially allowing attackers to access sensitive information without proper authorization.

Impact:

- Unauthorized access to sensitive information
- Potential data breaches
- Increased risk of account takeover

Expected Result:

- Session should be invalidated when permissions are changed
- User should be prompted to re-authenticate with new permissions

Actual Result:

- Session remains active after permission change
- User retains access to sensitive information without re-authentication

Steps to Reproduce:

1. {Browser A → Admin}Login to the application
2. {Browser A → Admin}Change permissions for the user
3. {Browser B → User}Login to the application
4. Observe the session remaining active
5. Attempt to access sensitive information

Recommended Fix:

1. Invalidate the session when permissions are changed
2. Require users to re-authenticate with new permissions
3. Implement additional security measures, such as token-based authentication and secure cookie management

Conclusion:

This vulnerability poses a critical risk to sensitive information and user accounts. Invalidating the session when permissions are changed will prevent unauthorized access and ensure the security and integrity of user accounts.