Admin can update workspace status of another admin
State | Resolved April 8, 2021 |
Issue ID | -zUnIUHDq |
Asset | v1 API |
Bounty | $100 |
Reported at | April 3, 2021 |
Reporter | Bhavik Kanejiya |
Severity | Low |
Visibility | Complete |
Weakness | CWE-285: Improper Authorization |
Description
The malicious admin can update workspace status from another admin only if they are both admins in the same workspace. The attacker can not delete the admin or do any other unallowed action. The owner of the workspace can undo the action of malicious admin.
Step by step - Scenario
- Three users are in the same workspace - Carol (owner), Alice (admin), Bob (admin)
- Using request for update workspace status Alice will change Bob's workspace status
Expected
Only the workspace owner can change the workspace status of the admin.