Pankajindevops Scale Improper Access Control Vulnerability in API Endpoint

A vulnerability has been identified in Pankajindevops Scale versions up to 20241113, concerning the API Endpoint component. This vulnerability involves improper access controls, allowing users with lower privileges to perform actions reserved for higher privilege roles, such as superAdmin. The issue arises because the application fails to verify user permissions before granting access to certain functionalities. As a result, a member account can execute high-level requests, potentially compromising the entire organization by allowing control over critical resources and actions.

Impact

Exploitation of this vulnerability allows for unauthorized access to API endpoints, enabling users to perform actions with elevated privileges, such as managing organization members, without proper authorization. This could lead to a complete compromise of organizational control from a lower-privileged account.

Reproduction

The vulnerability can be reproduced by sending API requests that require higher privileges, such as superAdmin rights, from an account with lower privileges, like a member. The application does not display these actions in the user interface, but the requests are processed successfully, allowing for unauthorized changes or access.