Impact
A non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status.
While valid user authentication is required to exploit this vulnerability, the attack complexity is low.
Note: As per our threat model documentation, which covers our "assumed level of trust", all users must be trusted.
Patches
Patched in versions 1.2.7 and 1.3.0
Workarounds
None
References
PratikKaran23 Reporter
Impact
A non-staff authenticated user can elevate their account to a staff level via a
POSTrequest against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status.While valid user authentication is required to exploit this vulnerability, the attack complexity is low.
Note: As per our threat model documentation, which covers our "assumed level of trust", all users must be trusted.
Patches
Patched in versions 1.2.7 and 1.3.0
Workarounds
None
References