Idor Lead to Archive Users in tooljet/tooljet

Valid

Reported on

Jun 9th 2022

Description

In this case a attacker can be able to archive any user of any targeted organization

Proof of Concept

  1. Attacker create new organization OrgA
  2. Attacker add any user to his organization OrgA And archive the user
  3. Capture this request in burp suite
  4. victim is user of organization OrgB
  5. Change id of our user to victim user of any organization then the user will be archived from OrgB4

Impact

Archive/unarchive any/all users from any organization So if a attacker is member of a organization and organization archive his account using this vulnerability he can unarchive his account which make a huge privacy concern for a organization same as this attacker can remove access of any user from organization

We are processing your report and will contact the tooljet team within 24 hours. 2 months ago
We have contacted a member of the tooljet team and are waiting to hear back 2 months ago
We have sent a follow up to the tooljet team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the tooljet team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the tooljet team. This report is now considered stale. a month ago
Distorted_Hacker
a month ago

Researcher

Hi @admin it look like tooljet team has fixed this issue over here https://github.com/ToolJet/ToolJet/pull/3272 is there anything you can do

Thanks

Jamie Slome
a month ago

Admin

I've dropped a comment https://github.com/ToolJet/ToolJet/pull/3272#issuecomment-1174815105 on the report 👍

Midhun G S validated this vulnerability 10 days ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Midhun G S confirmed that a fix has been merged on b9fa22 10 days ago
The fix bounty has been dropped
to join this conversation