Re-Sharing allows increase of privileges
Medium
Vulnerability Details
- User A shares a file/folder to user B with re-sharing permission, but readonly
- User B shares this file/folder to User C (Needs the shareapi_default_permissions set to 1 (all checkmarks off in admin panel))
- User B can add write permissions for the share to User C (User C may also be anonymous using a link)
- User C gets write access and can edit existing files
## Impact
User can get write permission on read-only shared files/folders.
Actions
View on HackerOneReport Stats
- Report ID: 889243
- State: Closed
- Substate: resolved
- Upvotes: 91