Chartbrew Incorrect Access Control Vulnerability in Dashboard Route

A vulnerability in Chartbrew version 4.9.0 allows authenticated users to access dashboard data from projects they do not have permission to view. This issue arises because a legacy dashboard route bypasses project-level authorization, exposing raw project data, including sensitive information such as report passwords. The vulnerability affects same-team users with low privileges.

Impact

Exploitation of this vulnerability allows unauthorized access to another user's project dashboard data, including charts, filters, share policy information, and sensitive report passwords. This could weaken the security of public reports by exposing hidden chart data.

Reproduction

To reproduce this vulnerability, an authenticated user must be a member of the same team as the target user and know the name of the project dashboard they wish to access. The user can send a request to the legacy dashboard route, including an authorization token that does not grant access to the specific project. The server will respond with the requested dashboard data, including sensitive information such as the project's report password.

Remediation

Users can update to Chartbrew version 5.0.0, where this vulnerability has been patched.