Idor Lead to Archive Users in tooljet/tooljet

Valid

Reported on

Jun 9th 2022


Description

In this case a attacker can be able to archive any user of any targeted organization

Proof of Concept

  1. Attacker create new organization OrgA
  2. Attacker add any user to his organization OrgA And archive the user
  3. Capture this request in burp suite
  4. victim is user of organization OrgB
  5. Change id of our user to victim user of any organization then the user will be archived from OrgB4

Impact

Archive/unarchive any/all users from any organization So if a attacker is member of a organization and organization archive his account using this vulnerability he can unarchive his account which make a huge privacy concern for a organization same as this attacker can remove access of any user from organization

We are processing your report and will contact the tooljet team within 24 hours. a year ago
We have contacted a member of the tooljet team and are waiting to hear back a year ago
We have sent a follow up to the tooljet team. We will try again in 7 days. a year ago
We have sent a second follow up to the tooljet team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the tooljet team. This report is now considered stale. a year ago
Distorted_Hacker
a year ago

Researcher


Hi @admin it look like tooljet team has fixed this issue over here https://github.com/ToolJet/ToolJet/pull/3272 is there anything you can do

Thanks

Jamie Slome
a year ago

Admin


Midhun G S validated this vulnerability a year ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Midhun G S marked this as fixed in v1.19.0 with commit b9fa22 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation