EIQ-2021-0012#

ID

EIQ-2021-0012

CVE

-

Description

Users with only modify tickets and read ticket-comments permissions can modify properties of a task object they can access to move and see task comments from tasks they should not have access to.

Date

17 August 2021

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD

Status

✅ 2.11.0

Assessment

An attacker with these permissions:

  • modify tickets

  • read ticket-comments

Can:

  1. Create or modify a task (“Task_1”) they have access to.

  2. Send a PUT /private/tickets/{id} request to modify that task.

    In the payload of that request, specify the IDs of task comments that they should not have access to in the comments field to move those task comments to the that task (“Task_1”).

This allows an attacker to move any task comment from tasks that they should not be able to access to a task that they can control, and view those comments.

Moved comments will disappear from the tasks that they were originally on.

Expected:

  • Users (owner of the comment or otherwise) should not be able to move comments from one task to another.

  • Users should not be able to access comments that they do not own.

Mitigation

Planned fix where platform enforces permissions correctly.

Affected versions

2.10.x and earlier

Notes

N/A