User can create saved reports for any team member

State Resolved
January 21, 2019
Issue ID 3CW4P34zH
Asset Web application
Bounty $100
Reported at January 17, 2019
Reporter Undisclosed
Severity Low
Visibility Complete
Weakness CWE 269 - Improper Privilege Management

Description

The user is able to create the saved report for any team member by changing the userId in POST data while creating the report. However, the report cannot be seen by the attacker.
Impact - Creating the report for other users but not being able to see it.

Step by step - Scenario

  1. Using proxy intercept request for saving custom report.
  2. Change 'userId' field to userId of user B that is member of same workspace.
  3. Log in as user B and go to saved reports.
    ◦ You will see new report created.

Expected

User should not be able to create saved report for others.