Moneybird: Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action

ID H1:135989
Type hackerone
Reporter yaworsk
Modified 2016-06-13T09:02:43


By changing the POST parameters of an OAuth authentication call, it was possible to get full permissions to an administration for which the user has limited access. With the fix in place, access will be denied when the administration id is changed.