EIQ-2021-0001

EIQ-2021-0001

-

Platform users can edit work-in-progress (draft) forms by ID

14 Jan 2021

2 - MEDIUM

CVSSv3 score not available on NIST NVD.

2.9.1

The platform stores intermediate changes as work-in-progress drafts. This enables users to suspend working, and then to resume it later, without losing their progress.

Signed-in platform users can edit work-in-progress (draft) forms created by other users.
Potential attackers can modify work-in-progress form data created and owned by other users without notice.

For example, they can change other users' account details by specifying a different email address to receive automated notifications from the platform; or they can edit the user name.

To do so, a potential attacker would need to send a request to the /private/work-in-progress API endpoint.
The request would need to include the attacker's Bearer token or their API token, and the ID that refers to the form they want to access.

The endpoint supports the following HTTP methods:

• GET: view work-in-progress form data.

• PUT: edit work-in-progress form data.

• DELETE: delete work-in-progress form data.

To exploit the vulnerability, a potential attacker would need:

• Sign-in access to the platform as a non-admin user.

• Either of the following:

  • A valid Bearer token, which the platform issues after successfully validating user sign-in.

  • A valid API token.

• The ID of the targeted form.

To mitigate this vulnerability:

• Upgrade to EclecticIQ Platform 2.9.1.

2.9.0 and earlier.

For more information, see:

• CWE-99: Improper Control of Resource Identifiers (Resource Injection)

   This section is not visible to users accessing the public docs, it's for internal reference   

See also:

• EIQ-4356 - Preliminary pentest results CLOSED

• TP 48840

• GitLab MR with the fix

• Slack convo in the psirt-ops channel

• Slack convo in the team-hammer channel