[NXP-32590] #PT22227_5 Missing Access Control - A normal user can access user management APIs - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Detail
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Security

Tags:
- pentest

Description

Criticality Justification
A regular user can gather all user and group data by querying the API directly

Steps To Reproduce

Login as a regular user and try to access the following admin feature:
{{ <https://pentest-2023.beta.nuxeocloud.com/nuxeo/ui/#!/admin/user-group-management> }}
The feature will not be accessible. (https://api.us.cobalt.io/v1/attachments/att_OptjRkT/preview)
Note that when this feature is accessed from the admin user, the following API calls are initiated:
{{ <https://pentest-2023.beta.nuxeocloud.com/nuxeo/api/v1/user/search?q=a&currentPageIndex=0> <https://pentest-2023.beta.nuxeocloud.com/nuxeo/api/v1/group/search?q=a&currentPageIndex=0> }}
Try to access these APIs from a regular user's session and note that the APIs are accessible. (https://api.us.cobalt.io/v1/attachments/att_tqwdrai/preview) (https://api.us.cobalt.io/v1/attachments/att_xZcRw5I/preview)

Suggested Fix
Implement robust access control to prevent a regular user from accessing admin data and features

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Sooraj Antony

Participants:

Sooraj Antony

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2024-05-23 17:51

Updated:

2024-05-23 17:51