Users without modify-users permissions can assign themselves administrator permissions by intercepting a specific request.


05 August 2021



CVSSv3 score

CVSSv3 score not available on NIST NVD


✅ 2.10.1.


An attacker can intercept a “profile_edit” operation on the platform to allow a non-admin user to give themselves administrator permissions under the following conditions:

  • User has “Group Administrator” permissions for one group.

  • User does not have “modify users” permissions.

  • User currently has their is_admin attribute set to false.

  • The PUT /private/users/{id} request sent to deliver the payload contains:

    • A second factor JWT sent with the X-PlatformApi-ReqAuthnToken header, obtained by making a POST /private/auth/rba/tokens request.

    • The PUT request is made within 10 seconds after obtaining the second factor JWT.

To set up a user that meets these requirements:

  1. Sign in as a platform administrator.

  2. Create a new role named “EIQ20210008_role”. In this role, add all permissions (to show that no other permissions affect this issue) except “modify users”, and save.

  3. Create a new group named “EIQ20210008_group”. Under Group admin settings > Allowed roles, select “EIQ20210008_role”, and save.

  4. Create a new user named “EIQ20210008”.

    1. Make sure that Administrator is not selected for this user.

    2. Under Groups, assign the user to “EIQ20210008_group” and set their User type to “Group Admin”.

    3. Set Assigned roles to “EIQ20210008_role”.

    4. Save.

  5. Sign out.

To replicate:

  1. Start Burp Suite or a similar tool, and navigate to the Proxy tool. Set up your browser such that Burp Suite can intercept requests made from that browser to your platform instance.

  2. Make sure that Intercept is set to off in Burp Suite.

  3. In your browser, navigate to the platform and sign in as the new user you created above.

  4. Select your profile image at the bottom left, and then My profile.

  5. Select Edit.

  6. In Burp Suite, set Intercept to on.

  7. Make a non-permissions change (e.g. change the contact info) and select Save.

  8. Enter the user’s password when prompted and select Next.


    You need to perform the next steps within 10 seconds of entering the user’s password and selecting Next.

  9. In Burp Suite, select Forward until you see a PUT /private/users/{id} request appear.

  10. In the payload that appears, look for “is_admin”: false, and set it to “is_admin”: true,

  11. Select Forward , and then set Intercept to off .

In the platform, you should see that the new user is now an administrator.


Planned fix, in which we enforce the condition where only platform administrators can make other users platform administrators.

Affected versions

2.10.0 and earlier