Galette Group Manager Role-Based Access Control Bypass Vulnerability

A vulnerability in Galette, a membership management web application for non-profit organizations, allows group managers to bypass role-based access controls. This issue is present in Galette versions 0.9.6 through 1.2.0. Exploitation of this vulnerability enables unauthorized access and modifications, despite existing role restrictions. The flaw arises from an access control oversight that affects group managers, whether malicious insiders or those with compromised accounts.

Impact

Exploitation of this vulnerability could lead to unauthorized access and changes within the application, allowing group managers to manipulate member data or permissions contrary to established role guidelines.

Reproduction

To reproduce this vulnerability, first ensure that the 'Can group managers create members?' option is disabled and the 'Can members create child' option is enabled in the Galette settings. Then, sign in as a group manager and access the 'addMember' GET route. The route will be accessible, despite it being disabled in the current settings.

Remediation

Users can upgrade to Galette version 1.2.0 or later to address this vulnerability.