Improper Privilege Management in mailtrain-org/mailtrain


Reported on

Jun 5th 2021


Lower level user can revoke access from a campaign for admin .


Admin will not be able to access perticular campaign .
This happen when lower level user added admin to a campaign and them removed him .


1. From admin account goto http://localhost:3000/users and add a new userB with role None.
So, user B cant access any property by-default .\

2. from admin goto http://localhost:3000/campaigns and add a new campaign .
Now add userB to this campaign as master role .
So, userB has full access in this campaign .\

3. Now goto user B account and visit above campaign http://localhost:3000/campaigns/3/share .
Now here user B added admin as master role to this campaign .
Finally ,user B remove admin from this campaign share .\

4. Now goto admin account and see admin can't access above campaign anymore .\

ranjit-git modified the report
3 years ago
ranjit-git modified the report
3 years ago
Tomas Bures
3 years ago


Thanks for the report. I'll check it.

Tomas Bures validated this vulnerability 3 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tomas Bures marked this as fixed with commit 91cb4b 3 years ago
Tomas Bures has been awarded the fix bounty
to join this conversation