While testing Mavenlink I got a simple Information disclosure by which and user can accept a project invite
without accessing the user mailbox
so here is the steps to produce
Here Lets say admin having a project XYZ and he is adding victim having a email abc@gmail.com as a Consultants so here
Admin can accept the invite without having access to victim email or without victim invite accept
Steps :
https://app.mavenlink.com/workspace_invitations/55e025a7-63fe-a3b0-6579-2fd864a11c63
so if the user click this link he will prompt for new password and he will be added to the project
There is another end where the token is exposed to project admin
that end point is the resent invitation see screenshot
so right click on resent and copy the link , so the link is like this
https://app.mavenlink.com/workspaces/11063967/workspace_invitations/55e025a7-63fe-a3b0-6579-2fd864a11c63/resend
so just compare the both token are same which victim get in email and which admin is copied from resend button
So now admin will remove the /workspaces/11063967/ and /resend from the url and will paste in browser and the invite accepted by admin with out victim interaction
After this Mavenlink Team fixed the issue and i am able to find another end point which disclosing the invitation token
That was the cancel Invite Button
here is the screenshot
Again its fixed fully
so finally they rewarded me 2 bounty :)
Thanks for reading
Feedback are most welcome
without accessing the user mailbox
so here is the steps to produce
Here Lets say admin having a project XYZ and he is adding victim having a email abc@gmail.com as a Consultants so here
Admin can accept the invite without having access to victim email or without victim invite accept
Steps :
- Admin login to account and go to project in my case https://app.mavenlink.com/workspaces/11063967
- There is an invite option in project work space so there i invited deepakdas288@gmail.com to join my team
https://app.mavenlink.com/workspace_invitations/55e025a7-63fe-a3b0-6579-2fd864a11c63
so if the user click this link he will prompt for new password and he will be added to the project
There is another end where the token is exposed to project admin
that end point is the resent invitation see screenshot
so right click on resent and copy the link , so the link is like this
https://app.mavenlink.com/workspaces/11063967/workspace_invitations/55e025a7-63fe-a3b0-6579-2fd864a11c63/resend
so just compare the both token are same which victim get in email and which admin is copied from resend button
So now admin will remove the /workspaces/11063967/ and /resend from the url and will paste in browser and the invite accepted by admin with out victim interaction
After this Mavenlink Team fixed the issue and i am able to find another end point which disclosing the invitation token
That was the cancel Invite Button
here is the screenshot
Again its fixed fully
so finally they rewarded me 2 bounty :)
Thanks for reading
Feedback are most welcome