CVE-2016-4475 - API and UI org/locations actions not limited to user's associated orgs/locations
A number of API and UI actions/URLs for viewing and managing organisations and locations are not limited to the orgs/locations assigned directly to the user, instead they are only restricted by permissions assigned to the user's roles.
- API index calls: GET /api/v2/organizations, GET /api/v2/locations
- API show/update/destroy calls
- UI edit/update/destroy calls
The UI index for orgs/locations and the UI org/location switcher appears to be the only place where the user's associated orgs/locations are taken into account.
Both UI and API controllers should be overriding methods for resource scopes to limit them further to the Organization.my_organizations/Location.my_locations scopes.
: ensure all org/location related permissions assigned to a user are restricted to certain orgs/locations, these should still be taken into account.
Thanks to Ivan Necas for reporting this to firstname.lastname@example.org.