4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
3.3 Low
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:M/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
24.7%
Hello there! Hope you are doing great!
I kept looking for issues that are similar to CVE-2022-3019, and ended up finding one more, itβs in the Thread entity, and I found it by looking at the /api/threads/:app_id/all
endpoint. It retrieves sensitive information about every user thatβs in an appβs thread, including these usersβ βforgot passwordβ token, which means that a different user involved in the same project as you can steal your account, leading to both horizontal and vertical (admin as victim) privilege escalation.
1 => Create two different accounts. As this is a more specific issue, they need to be able to edit the same app. So you can create an βadminβ and invite the second user after that;
2 => As the βadminβ, go to the app editor and make a comment;
3 => Now, as the second user and the attacker, access the app editor and click on the βcommentsβ button so the browser will try to load all the threads;
4 => Look at the request thatβs being sent to /api/threads/:app_id/all
, it retrieves sensitive information about the comment owner within its βuserβ attribute. With this data, you could takeover the admin account, just like we did in the previous report;
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
3.3 Low
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:M/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
24.7%