Idor Lead to Archive Users in tooljet/tooljet
Reported on
Jun 9th 2022
Description
In this case a attacker can be able to archive any user of any targeted organization
Proof of Concept
- Attacker create new organization OrgA
- Attacker add any user to his organization OrgA And archive the user
- Capture this request in burp suite
- victim is user of organization OrgB
- Change id of our user to victim user of any organization then the user will be archived from OrgB4
Impact
Archive/unarchive any/all users from any organization So if a attacker is member of a organization and organization archive his account using this vulnerability he can unarchive his account which make a huge privacy concern for a organization same as this attacker can remove access of any user from organization
Hi @admin it look like tooljet team has fixed this issue over here https://github.com/ToolJet/ToolJet/pull/3272 is there anything you can do
Thanks
I've dropped a comment https://github.com/ToolJet/ToolJet/pull/3272#issuecomment-1174815105 on the report 👍