EIQ-2021-0001#

ID

EIQ-2021-0001

CVE

-

Description

Platform users can edit work-in-progress (draft) forms by ID

Date

14 Jan 2021

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.9.1

Assessment

The platform stores intermediate changes as work-in-progress drafts. This enables users to suspend working, and then to resume it later, without losing their progress.

Signed-in platform users can edit work-in-progress (draft) forms created by other users.

Potential attackers can modify work-in-progress form data created and owned by other users without notice.

For example, they can change other users’ account details by specifying a different email address to receive automated notifications from the platform; or they can edit the user name.

To do so, a potential attacker would need to send a request to the /private/work-in-progress API endpoint.

The request would need to include the attacker’s Bearer token or their API token, and the ID that refers to the form they want to access.

The endpoint supports the following HTTP methods:

  • GET: view work-in-progress form data.

  • PUT: edit work-in-progress form data.

  • DELETE: delete work-in-progress form data.

To exploit the vulnerability, a potential attacker would need:

  • Sign-in access to the platform as a non-admin user.

  • Either of the following:

  • A valid Bearer token, which the platform issues after successfully validating user sign-in.

  • A valid API token.

  • The ID of the targeted form.

Mitigation

To mitigate this vulnerability:

  • Upgrade to EclecticIQ Platform 2.9.1.

Affected versions

2.9.0 and earlier.

Notes

For more information, see: