image dsbw
Request Assessment

External Guest without permission Can Share any collection with any user



Published il y a 1 semaine

image de External Guest without permission Can Share any collection with any user

Hi, This is DevSecure Team ,we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.

Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning, helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.

Description:

External Guest without permission Can Share any collection with any user and the user will be notify by email

Affected Parameter / Endpoint: https://api.company.com/api/collections/{collectionId}/share

Proof of Concept:

Step-by-step to reproduce:
  • Step 1: login with owner user role click on invite user chose external ( Guest ) from there you can read "Guests can only read, upload, and download documents in projects which they are invited to".
  • Step 2: get your jwt token for the invited guest user with post request include guest credentials to

    https://api.company.com/auth/token
  • Step 3: you can share any collection in this company with any user from this endpoint with post request POST https://api.company.com/api/collections/{collectionId}/share {"comment":"share this collection with no permission","userIds":["00000000-0000-00000-0000-000000000000"]}
you can get users ids from this endpoint : /api/user/mention {collectionId} is the collection id now the user will get an email with the details link information to access collection

Impact:

unauthorized action

Severity:

Medium — unauthorized action.

  • Timeline :
  • Platform : Intigriti
  • Reported: 21/11/2022
  • Triaged: 23/11/2022
  • Accepted & paid: 23/11/2022
  • Bounty: €150

https://app.intigriti.com/profile/merroun

More Articles You May Like

Blog Image
SQL INJECTION, leaking of personal data + server misconfiguration lead to unauthorized access

Description: in one of the earlier target that i hunted in before, after the recon step, i found an interesting service...

Read More →
Blog Image
BROKEN ACCESS CONTROL lead to leak all users sensitive data in Company database, including emails

Description: BROKEN ACCESS CONTROL lead to leak all users sensitive data in company database, including emails in compa...

Read More →
Blog Image
IDOR Get any Customer all invoices

Description: Broken access control IDOR lead to get all invoices for any customer Affected Parameter / Endpoint: https...

Read More →