image dsbw
Request Assessment

External Guest Can Get all Company Users informations including Emails with Partner role



Published il y a 2 mois

image de External Guest Can Get all Company Users informations including Emails with Partner role

Hi, This is DevSecure Team ,we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.

Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning, helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.

in this company you could invite a Guest user and affect to him a project to work in
but this vulnerability make a Guest user able to get all Company Users informations including Emails
without any invitation to any project and thats a clear Broken Access control issue
POC:
1/ login with owner user role click on invite user chose external ( Guest )
from there you can read
Guests can only read, upload, and download documents in projects which they are invited to.
2/ get your jwt token for the invited guest user with post request include guest credentials to
https://api.company.com/auth/token
3/ without any invitation to any project you can get all users in the company from this endpoint
https://api.company.com/user/mention

Platform : Intigriti
Timeline :
Reported: 20/11/2022
Triaged: 22/11/2022
Accepted & paid: 23/12/2022
Bounty: €150
https://app.intigriti.com/profile/merroun

More Articles You May Like

Blog Image
IDOR Get any Customer all invoices

1/ create new company and login 2/ go to services-api.company.com/customers/{UUID}/invoices?invoiced=false 3/ change UUI...

Read More →
Blog Image
get personal information of workers

1/ go to this endpoint https://company.com/search?p_p_lifecycle=0&saveLastPath=true&q=cv&type=com.liferay.document.libra...

Read More →
Blog Image
Extract all users emails end with( @company.com ) with names in DB of Company users

i found a method to get all emails with @company.com in company admin db the method is in 2 steps after login as admin 1...

Read More →