EIQ-2021-0009#

ID

EIQ-2021-0009

CVE

-

Description

Users with only modify ticket-comments and read tickets permissions can edit and delete comments on a Task they are at least a stakeholder on.

Date

17 August 2021

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD

Status

✅ 2.11.0

Assessment

An attacker with:

  • modify ticket-comments permissions

  • read tickets permissions

  • is assigned to a shared task (“Task_1”)

can edit and delete any task comment on that task (“Task_1”) as long as they are at least a “Stakeholder” on that task by sending:

  • A PUT /private/ticket-comments/{id} request, with the following payload:

    {"data": {"text": "<change comment to this text>"}}
    

    to change the text of that comment to “<change comment to this text>”.

  • A DELETE /private/ticket-comments/{id} to delete that task comment.

Expected:

Users should not be able to modify comments that they did not write.

Mitigation

Planned fix, where platform enforces permissions correctly.

Affected versions

2.10.x and earlier

Notes

N/A