CVE-2016-4451 - Privileges escalation through Organization and Locations API
|Triaged:||Fixed in Releases:|
|Bugzilla link:||1340107||Found in Releases:|
We set current org/loc for user in before filter blindly without any association check . As a user I'd expect 404 (bug fixed by #3549) but I get the list of resources from org I've chosen even though I'm not associated to it.
Note that this is possible because users have by default viewer_role allowing to view all data regardless of organization. If user would have all filters associated to org 1 only he/she wouldn't see resource from org 2.