Description

Hello there! Hope you are doing great!

I kept looking for issues that are similar to CVE-2022-3019, and ended up finding one more, it’s in the Thread entity, and I found it by looking at the /api/threads/:app_id/all endpoint. It retrieves sensitive information about every user that’s in an app’s thread, including these users’ “forgot password” token, which means that a different user involved in the same project as you can steal your account, leading to both horizontal and vertical (admin as victim) privilege escalation.

Steps to Reproduce

1 => Create two different accounts. As this is a more specific issue, they need to be able to edit the same app. So you can create an “admin” and invite the second user after that;

2 => As the “admin”, go to the app editor and make a comment;

3 => Now, as the second user and the attacker, access the app editor and click on the “comments” button so the browser will try to load all the threads;

4 => Look at the request that’s being sent to /api/threads/:app_id/all, it retrieves sensitive information about the comment owner within its “user” attribute. With this data, you could takeover the admin account, just like we did in the previous report;