hello team
in my recent testing i found that any users could upload attachments to any users pentest scoping form without having access to it as long as they have the scope id.
note: before you start you will require two account to test for this bug.
steps to reproduce:
989953fa-5635-43c9-b584-48736d224b15
-----------------------------22121373215470710503552942440
Content-Disposition: form-data; name=“context_type”
PentestOpportunity
-----------------------------22121373215470710503552942440
Content-Disposition: form-data; name=“file”; filename=“does not have a option to change his own permission.png”
Content-Type: image/png
====================================================================================================================
6.from your previous account reload the scoping form and go to review and submit .
7. you will notice that the file have been successfully uploaded.
business logic error
could attach malicious files to anyones scoping form.