Improper Privilege Management in mailtrain-org/mailtrain
Jun 5th 2021
Lower level user can revoke access from a campaign for admin .
Admin will not be able to access perticular campaign .
This happen when lower level user added admin to a campaign and them removed him .
STEP TO REPRODUCE
1. From admin account goto
http://localhost:3000/users and add a new userB with role
So, user B cant access any property by-default .\
2. from admin goto
http://localhost:3000/campaigns and add a new campaign .
Now add userB to this campaign as
master role .
So, userB has full access in this campaign .\
3. Now goto user B account and visit above campaign
Now here user B added admin as
master role to this campaign .
Finally ,user B remove admin from this campaign share .\
4. Now goto admin account and see admin can't access above campaign anymore .\