-
-
Notifications
You must be signed in to change notification settings - Fork 415
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue - Editing Other Users Comments #668
Comments
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Hi, any feedback? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is this a BUG REPORT or FEATURE REQUEST?:
What happened:
It is possible to edit any user's comment with a low-privileged user, such as a customer with a User role. This can be done by tampering with the WebSocket message being sent to the server, allowing the modification of the message ID and corresponding message content to be accepted by the backend.
What did you expect to happen:
Enforce server-side validation to restrict low-privileged users from modifying others' comments via WebSocket messages, and implement role-based access control to ensure only authorized users can edit comments.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
I'm available for further questions.
Environment:
Below is a PoC that showcases a customer with a User role that changes an Admin comment in a ticket:
2024-04-20.13-33-27.mp4
The text was updated successfully, but these errors were encountered: