{
  "schema_version": "1.4.0",
  "id": "GHSA-qcqv-38jg-2r43",
  "modified": "2022-09-15T17:56:13Z",
  "published": "2022-09-15T03:21:41Z",
  "aliases": [],
  "summary": "Pageflow vulnerable to insecure direct object reference in membership update endpoint",
  "details": "### Impact\n\nPageflow has a membership edit feature which allows users to edit the roles of user memberships associated with an account that they have the `manager` role to (including their own). While the `Entity` dropdown select field is greyed out in the UI, an attacker can use tools which allow sending arbitrary HTTP request to craft a request to the `/admin/users/{user_id}/memberships/{membership_id}` endpoint containing an additional `membership[entity_id]` parameter. This parameter is honored when the membership is updated, allowing an attacker to update the membership object associated with their own account (with `manager` role) to be associated with a different attacker-chosen account instead. Since `account_id`s are enumerable, an attacker can compromise all accounts present on the platform.\n\n### Mitigation\n\nUpgrade to version 15.7.1 or 14.5.2 of the `pageflow` gem.\n\n### For more information\n\nIf you have any questions or comments about this advisory email us at info(at)codevise.de \n\n### Credits\n\n[Positive Security](https://positive.security/)",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "pageflow"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.5.2"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "pageflow"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "15.7.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codevise/pageflow/security/advisories/GHSA-qcqv-38jg-2r43"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codevise/pageflow/pull/1862"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codevise/pageflow"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:21:41Z",
    "nvd_published_at": null
  }
}