ADVISORIES
GEM
PATCHED VERSIONS
- ~> 14.5.2
- >= 15.7.1
DESCRIPTION
Impact
Pageflow has a membership edit feature which allows users to edit the roles of user
memberships associated with an account that they have the manager role to (including
their own). While the Entity dropdown select field is greyed out in the UI, an attacker
can use tools which allow sending arbitrary HTTP request to craft a request to the
/admin/users/{user_id}/memberships/{membership_id} endpoint containing an additional
membership[entity_id] parameter. This parameter is honored when the membership is
updated, allowing an attacker to update the membership object associated with their own
account (with manager role) to be associated with a different attacker-chosen account
instead. Since account_ids are enumerable, an attacker can compromise all accounts
present on the platform.
Mitigation
Upgrade to version 15.7.1 or 14.5.2 of the pageflow gem.