Improper Access Control in collectiveaccess/pawtucket2
Oct 1st 2021
After the previous patch fix, users can join the Root group by specifying http://[PAWTUCKET-URL]/pawtucket/index.php/LoginReg/joinGroup/group_code/*
Proof of Concept
Attackers can join the Root group without being invited. Weirdly, I cannot join any other groups using the standard group_code URL after the new fix (I think it may be broken!), but I can access Root group perhaps because MySQL inteprets * as 'all elements' and the first element in the ca_user_groups table is Root.