Idor Lead to Archive Users in tooljet/tooljet
Valid
Reported on
Jun 9th 2022
Description
In this case a attacker can be able to archive any user of any targeted organization
Proof of Concept
- Attacker create new organization OrgA
- Attacker add any user to his organization OrgA And archive the user
- Capture this request in burp suite
- victim is user of organization OrgB
- Change id of our user to victim user of any organization then the user will be archived from OrgB4
Impact
Archive/unarchive any/all users from any organization So if a attacker is member of a organization and organization archive his account using this vulnerability he can unarchive his account which make a huge privacy concern for a organization same as this attacker can remove access of any user from organization
We are processing your report and will contact the
tooljet
team within 24 hours.
2 months ago
We have contacted a member of the
tooljet
team and are waiting to hear back
2 months ago
We have sent a
follow up to the
tooljet
team.
We will try again in 7 days.
2 months ago
We have sent a
second
follow up to the
tooljet
team.
We will try again in 10 days.
2 months ago
We have sent a
third and final
follow up to the
tooljet
team.
This report is now considered stale.
a month ago
Hi @admin it look like tooljet team has fixed this issue over here https://github.com/ToolJet/ToolJet/pull/3272 is there anything you can do
Thanks
I've dropped a comment https://github.com/ToolJet/ToolJet/pull/3272#issuecomment-1174815105 on the report 👍
The researcher's credibility has increased: +7
The fix bounty has been dropped
to join this conversation