image dsbw
Request Assessment

Export all Recipients with no role to view or edit Recipients



Published il y a 2 semaines

image de Export all Recipients with no role to view or edit Recipients

Hi, This is DevSecure Team ,we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.

Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning, helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.

Description:

You can get all Recipients of organisation with simple user have no rights to view or edit Recipients

Affected Parameter / Endpoint: https://app-v2.company.com/en/recipients/export/csv

Proof of Concept:

Step-by-step to reproduce:
  • Step 1: create account with post request in this endpoint ( https://organisations.company.com/creation )
  • Step 2: add active domain name to let you add users
  • Step 3: add user with your testuser@domain.com ( make sure thats have no role to view or edite Recipients )
  • Step 4: login in other navigator with this user
  • with this user if you go to https://app-v2.company.com/en/recipients a Unauthorized message [ Sorry, but you are not authorized to view this page. ] will load but if you go to this endpoint https://app-v2.company.com/en/recipients/export/csv as a results a list of csv extention will downloaded for you with all Recipients in the organisation ( withe emails )

Impact:

access other users informations

Severity:

Medium

  • Timeline :
  • Platform : Intigriti
  • Reported: 12/11/2022
  • Triaged: 14/11/2022
  • Accepted & paid: 14/11/2022
  • Bounty: €250

https://app.intigriti.com/profile/merroun

More Articles You May Like

Blog Image
SQL INJECTION, leaking of personal data + server misconfiguration lead to unauthorized access

Description: in one of the earlier target that i hunted in before, after the recon step, i found an interesting service...

Read More →
Blog Image
BROKEN ACCESS CONTROL lead to leak all users sensitive data in Company database, including emails

Description: BROKEN ACCESS CONTROL lead to leak all users sensitive data in company database, including emails in compa...

Read More →
Blog Image
IDOR Get any Customer all invoices

Description: Broken access control IDOR lead to get all invoices for any customer Affected Parameter / Endpoint: https...

Read More →