Unlocking Restricted Features: A Vulnerability Analysis of Organization’s Role Management

بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد

Hello,

In today’s digital landscape, I Found Some security vulnerabilities can pose significant risks to organizations with Ahmed Ashraf, That allows attackers with a Custom Role to escalate their privileges and access restricted Owner-only features, particularly advanced moderation functionalities. By intercepting and modifying API requests, an attacker can gain unauthorized access to features that are intended solely for users with higher privilege levels (Owner), such as managing moderator groups and assigning user roles within moderation controls. This blog post will detail the setup, steps to reproduce the vulnerability, and the potential impact of this exploit.

Owner → Full access to all functionalities within the REDACTED dashboard.Admin → Restricted access to Owner functionalities, with permissions defined

As the Victim

1. Sign into the Owner Account

2. Invite the Attacker:

Invite the attacker to join the organization with the Admin Role.

As the Attacker

Accept the Invitation and Sign into the account with the Admin RoleWhile Testing in Application > Settings > Moderation > Moderator group I Found that is restricted (it's visible to Owner Only)

3. I Navigated to Owner Permission Found that he have access with Advanced Moderation

4. So, I go to Create a Custom Role with All Permissions:

Navigate to: Settings > RolesConfigure the role to have all permissions. but in moderation Permission i can’t choose the Advanced Moderation

“Note: Only the owner with advanced moderation permissions has access to this feature.”

5. Intercept the Edit Request:

Endpoint: PATCH /dashboard_api/organization_member_roles/{role_id}/Modify the request body that include “moderation.basic” to “moderation.advanced” of the restricted Feature:{ "permissions":[ "moderation.advanced" ] }Send the Modified Request:Receive a 200 OK response, indicating success.

6. Now, Chane my Role to the Mod Role . I Have this Problem

7. So, I Navigated Again to Mod Role to Edit the permission to basic moderation

8. Now i Can give myself Mod Role -> it’s work

9. After Get the Role Go to Edit the Escalate my Self to Advanced Moderation

10. Navigate to the Moderator group that was previously restricted, confirming that the attacker now has access and can perform :

The attacker can now create, edit, and delete moderator groups, gaining full control over moderation functionalities.