Skip to main content

Excessive privileges

Description

A user with access to the application can generate an error within the application to gain access to the SharePoint platform. From which they can create groups with excessive privileges, to use functions that were not possible to access initially. Also, they can modify or remove permissions that other users or groups have on the application and share content with users who initially did not have access.

Impact

  • Create groups within the application with excessive permissions, to use functions to which you did not have access initially.
  • Edit or remove permissions that other users or groups have on the application.
  • Share application content with unauthorized users.

Recommendation

Configure the application so that users cannot modify their permissions.

Threat

Attacker with access to the application from the Internet.

Expected Remediation Time

⌚ 120 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: C
  • Confidentiality: L
  • Integrity: H
  • Availability: L

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L/E:X/RL:X/RC:X
  • Score:
    • Base: 9.1
    • Temporal: 9.1
  • Severity:
    • Base: Critical
    • Temporal: Critical

Code Examples

Compliant code

Access roles have clearly defined permissions

class User{
UserRole role;
//other user concerning stuff
}

abstract class UserRole{
abstract void view();
}

private class AdminRole extends UserRole{
public void add(){}
public void view(){}
public void edit(){}
public void remove(){}
}

Non compliant code

There are poorly configured access roles found in the application

class User{
UserRole role;
//other user concerning stuff
}

abstract class UserRole{
abstract void view();
}

class AdminRole extends UserRole{
public void add(){}
public void view(){}
public void edit(){}
public void remove(){}
}
//A class exists that allows a user to get editing permissions
class EditRole extends UserRole{
public void view(){}
public void edit(){}
}

Requirements