Unlocking Restricted Features: A Vulnerability Analysis of Organization’s Role Management

بِسْم اللَّه الرَّحْمن الرَّحِيم . . اللَّهمَّ صَلِّ وَسلَّم وبارك على نَبِينَا مُحمَّد

Hello,

In today’s digital landscape, I Found Some security vulnerabilities can pose significant risks to organizations with Ahmed Ashraf, That allows attackers with a Custom Role to escalate their privileges and access restricted Owner-only features, particularly advanced moderation functionalities. By intercepting and modifying API requests, an attacker can gain unauthorized access to features that are intended solely for users with higher privilege levels (Owner), such as managing moderator groups and assigning user roles within moderation controls. This blog post will detail the setup, steps to reproduce the vulnerability, and the potential impact of this exploit.

Privileges Required

• Owner → Full access to all functionalities within the REDACTED dashboard.
• Admin → Restricted access to Owner functionalities, with permissions defined

Steps to Reproduce

As the Victim

1. Sign into the Owner Account

2. Invite the Attacker:

• Invite the attacker to join the organization with the Admin Role.

As the Attacker

1. Accept the Invitation and Sign into the account with the Admin Role
2. While Testing in Application > Settings > Moderation > Moderator group I Found that is restricted (it's visible to Owner Only)

3. I Navigated to Owner Permission Found that he have access with Advanced Moderation

4. So, I go to Create a Custom Role with All Permissions:

• Navigate to: Settings > Roles
• Configure the role to have all permissions. but in moderation Permission i can’t choose the Advanced Moderation

“Note: Only the owner with advanced moderation permissions has access to this feature.”

5. Intercept the Edit Request:

• Endpoint: PATCH /dashboard_api/organization_member_roles/{role_id}/
• Modify the request body that include “moderation.basic” to “moderation.advanced” of the restricted Feature:

{ "permissions":[ "moderation.advanced" ] }

• Send the Modified Request:

• Receive a 200 OK response, indicating success.

6. Now, Chane my Role to the Mod Role . I Have this Problem

7. So, I Navigated Again to Mod Role to Edit the permission to basic moderation

8. Now i Can give myself Mod Role -> it’s work

9. After Get the Role Go to Edit the Escalate my Self to Advanced Moderation

10. Navigate to the Moderator group that was previously restricted, confirming that the attacker now has access and can perform :

• The attacker can now create, edit, and delete moderator groups, gaining full control over moderation functionalities.

Additional Exploit

1. The Another Bug i Discovered :

• When creating a moderator group, the attacker can only add Owners as moderators.

The Owners of Org

• Intercept the request using Burp Suite.
• Endpoint: POST /moderation_engine_api/v2/review_queues
• Modify the request body to include any user_id within the organization, regardless of their role.

{
    "moderatorIds": [31002582, 31002587]
}

Send the Modified Request: Receive a 200 OK response, successfully adding low-privilege users as moderators.

after this user low privilege

impact:

invited user with a custom-role can escalate himself and his role to access the restriction endpoints such can manage all aspects of all channels and advanced moderation including [rules, ticket management, moderation management, moderation logs , general information on organization ]

That’s all for today. I hope you all enjoyed it and learned something new

My all links Here