Impact
Users can add themselves to any organization in CloudExplorer Lite
The reproduction steps are as follows:
- User 1 belongs to organization team1 and does not belong to team2.
- User 1 modifies their own profile.
- On the interface, user 1 can only see team1 when modifying their organization.
- However, we intercepted the request using burpsuite and replaced the ID of team1 in the request with team2.
- Continue execution and find that it can be executed successfully.
- The reason is that although we ensure that team2 is not visible on the interface, the server did not check whether user1 can choose team2.
Reproduction video:
https://1drv.ms/v/s ! Avwg5C1eKVA4girUgKWl9SQX543P? e=N1ZU47
Affected versions: <= 1.0.2.
Patches
The vulnerability has been fixed in v1.1.0.
Workarounds
It is recommended to upgrade the version to v1.1.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/CloudExplorer-Dev/CloudExplorer-Lite
Email us at xin.bai@fit2cloud.com
Impact
Users can add themselves to any organization in CloudExplorer Lite
The reproduction steps are as follows:
Reproduction video:
https://1drv.ms/v/s ! Avwg5C1eKVA4girUgKWl9SQX543P? e=N1ZU47
Affected versions: <= 1.0.2.
Patches
The vulnerability has been fixed in v1.1.0.
Workarounds
It is recommended to upgrade the version to v1.1.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/CloudExplorer-Dev/CloudExplorer-Lite
Email us at xin.bai@fit2cloud.com