Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Ajouter le même utilisateur que celui déjà inscrit dans les équipes

H
HackerOne
Submitted None

Team Summary

Official summary from HackerOne

@rbcafe discovered that a team can bypass the invite restriction to invite the same person again by using uppercase letters. This means that when one invites the same user with a different role and you ban the original account, they can rejoin the team by using the invitation link to the different role. After discussing this internally, we came to the conclusion that this is something that team members have to look out for and would probably not go undetected. Nevertheless, we are very grateful for @rbcafe's report and look forward to working with them again in future.

Actions:
View on HackerOne
Reported by rbcafe

Vulnerability Details

Technical details and impact analysis

**Description:** Possibilité d'ajouter le même utilisateur que celui déjà inscrit dans les équipes. ### Steps To Reproduce 1. Aller sur https://hackerone.com/team_name/team_members 2. Observer les emails des utilisateurs. 3. Utiliser le même email que celui précédemment inscrit, mais varier les majuscules / minuscules . 4. On remarque qu'il est possible d'ajouter la même adresse que celle déjà inscrite. ### Optional: Your Environment (Browser version, Device, etc) * Firefox ### Optional: Supporting Material/References (Screenshots) * ██████████ ### FIX ### * Ajouter du grep sur l'email. Cordialement Rbcafe ## Impact - Consommation serveur inutile. - Bypass des emails déjà existants. - Bypass du contrôle des emails déjà existants.

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted