User can create saved reports for any team member
January 21, 2019
|Reported at||January 17, 2019|
|Weakness||CWE 269 - Improper Privilege Management|
The user is able to create the saved report for any team member by changing the userId in POST data while creating the report. However, the report
cannot be seen by the attacker.
Impact - Creating the report for other users but not being able to see it.
Step by step - Scenario
- Using proxy intercept request for saving custom report.
'userId'field to userId of user B that is member of same workspace.
- Log in as user B and go to saved reports.
◦ You will see new report created.
User should not be able to create saved report for others.