Group Invite not properly authenticated
Unknown
Vulnerability Details
There is no check whether the inviting user is allowed to invite a user into a group and through manipulation a user may sent themself and invite to any group.
Example:
Group A created by User 1 with Owner invitation only with ID x
User 2 sends malicious himself invite with ID x and receives invite to Group A
API Call that needs to be fixed:
https://www.wnmlive.com/api/groups/invites
Actions
View on HackerOneReport Stats
- Report ID: 46379
- State: Closed
- Substate: resolved
- Upvotes: 1