Idor Lead to Archive Users in tooljet/tooljet


Reported on

Jun 9th 2022


In this case a attacker can be able to archive any user of any targeted organization

Proof of Concept

  1. Attacker create new organization OrgA
  2. Attacker add any user to his organization OrgA And archive the user
  3. Capture this request in burp suite
  4. victim is user of organization OrgB
  5. Change id of our user to victim user of any organization then the user will be archived from OrgB4


Archive/unarchive any/all users from any organization So if a attacker is member of a organization and organization archive his account using this vulnerability he can unarchive his account which make a huge privacy concern for a organization same as this attacker can remove access of any user from organization

We are processing your report and will contact the tooljet team within 24 hours. a year ago
We have contacted a member of the tooljet team and are waiting to hear back a year ago
We have sent a follow up to the tooljet team. We will try again in 7 days. a year ago
We have sent a second follow up to the tooljet team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the tooljet team. This report is now considered stale. a year ago
a year ago


Hi @admin it look like tooljet team has fixed this issue over here is there anything you can do


Jamie Slome
a year ago


Midhun G S validated this vulnerability a year ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Midhun G S marked this as fixed in v1.19.0 with commit b9fa22 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation