La Suite Numérique People Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the People application of La Suite Numérique, specifically in version 1.23.1. The issue allows a user with the Administrator role on a mail domain to send a crafted invitation request that promotes any existing user, including those with no current domain access, to the Owner role. This exploitation requires a single authenticated HTTP request and grants immediate full domain ownership, bypassing any acceptance step from the target user.

Impact

Exploitation of this vulnerability allows an Administrator to escalate a user's role to Owner, granting them full control over the domain, including the ability to delete the domain and manipulate other owners' roles. This could lead to unauthorized domain ownership and disruption of domain management.

Reproduction

To reproduce this vulnerability, an authenticated user with the Administrator role on a mail domain can send a POST request to the '/api/v1.0/mail-domains/<slug>/invitations/' endpoint. The request must include an email address of an existing user and specify the role as 'owner'. If the invitation is for a user who already exists in the system, the server will respond by creating a MailDomainAccess record with the Owner role, effectively promoting the user without their consent.

Remediation

Users are advised to update to version 1.25.0, where this vulnerability has been patched.