Platform users can edit work-in-progress (draft) forms by ID


14 Jan 2021



CVSSv3 score

CVSSv3 score not available on NIST NVD.


images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.9.1


The platform stores intermediate changes as work-in-progress drafts. This enables users to suspend working, and then to resume it later, without losing their progress.

Signed-in platform users can edit work-in-progress (draft) forms created by other users.
Potential attackers can modify work-in-progress form data created and owned by other users without notice.

For example, they can change other users' account details by specifying a different email address to receive automated notifications from the platform; or they can edit the user name.

To do so, a potential attacker would need to send a request to the /private/work-in-progress API endpoint.
The request would need to include the attacker's Bearer token or their API token, and the ID that refers to the form they want to access.

The endpoint supports the following HTTP methods:

  • GET: view work-in-progress form data.

  • PUT: edit work-in-progress form data.

  • DELETE: delete work-in-progress form data.

To exploit the vulnerability, a potential attacker would need:

  • Sign-in access to the platform as a non-admin user.

  • Either of the following:

    • A valid Bearer token, which the platform issues after successfully validating user sign-in.

    • A valid API token.

  • The ID of the targeted form.


To mitigate this vulnerability:

  • Upgrade to EclecticIQ Platform 2.9.1.

Affected versions

2.9.0 and earlier.


For more information, see:

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions

In release notes 2.9.1