用户可以将自己添加到任意的组织中 in cloudexplorer-dev/cloudexplorer-lite

Valid

Reported on

May 13th 2023


Proof of Concept

1 用户1属于组织team1,并不属于team2

2 用户1修改自己的profile

3 在界面上,用户1修改自己的组织时只能看到team1

4 但是我们用burpsuite拦截请求,将请求中的team1的ID换成team2

5 继续执行,发现可以执行成功

6 原因是虽然我们在界面上保证了team2不可见,但服务端没检查user1是否可以选择team2

复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4girUgKWl9SQX543P?e=N1ZU47

Impact

用户可以将自己添加到任意的组织中

We are processing your report and will contact the cloudexplorer-dev/cloudexplorer-lite team within 24 hours. 9 months ago
We have contacted a member of the cloudexplorer-dev/cloudexplorer-lite team and are waiting to hear back 9 months ago
9 months ago

Maintainer


Thank you for your feedback. We have confirmed that this vulnerability will be fixed in the next version

Can you give us a CVE number first and we will issue credits to you.

lujiefsi
9 months ago

Researcher


Hi: Maintainer

I do not have the permission to assgin a cve.

@admin from huner, could you pelase help Maintainer to obtain a CVE number?

But You can mark this report as vaild first.

lujiefsi
9 months ago

Researcher


@Maintainer You can mark this report as vaild first.

lujiefsi
9 months ago

Researcher


@Maintainer even report is marked as vaild, it is still not public .

9 months ago

Maintainer


Okay, thank you for your suggestion!

We have applied for the CVE number.

We have sent a follow up to the cloudexplorer-dev/cloudexplorer-lite team. We will try again in 4 days. 9 months ago
cloudexplorer-dev/cloudexplorer-lite maintainer validated this vulnerability 9 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie
9 months ago

Admin


Hi maintainer, if you could please mark this as fixed once the vulnerability has been patched and we can assign a CVE at this point of the process:)

9 months ago

Maintainer


Thank you. We have fixed this vulnerability in v1.1.0 and will release it on May 23rd. After release, we will mark it as fixed.

Pavlos
9 months ago

Admin


Sounds good! For the record, marking a report as fixed doesn't publish it. We will ask you when you would like it published.

Thank you for your contribution!

cloudexplorer-dev/cloudexplorer-lite maintainer marked this as fixed in v1.1.0 with commit d9f55a 9 months ago
The fix bounty has been dropped
This vulnerability has now been published 9 months ago
to join this conversation