papercups icon indicating copy to clipboard operation
papercups copied to clipboard

Published 20 hours ago verified publisher icon papercups-io

Fix users can send chat messages after being disabled

Open ranjit-git opened this issue 3 years ago • 3 comments

Hello, @reichert621 , @cheeseblubber , @rhonsby - a potential high severity security vulnerability has been disclosed to huntr . Report url --> https://www.huntr.dev/bounties/3-other-papercups-io/papercups/

BUG

user can send chat message even after his account is disabled

IMPACT

If a user account is disabled by admin then sill he can send chat message to users

STEP TO REPRODUCE

  1. From your admin account goto https://app.papercups.io/account/team and add user B as normal user .

  2. Now goto user B and open url https://app.papercups.io/conversations/all . Here user B can send message to any other user . Keep this browser tab open .

  3. Now goto admin account and disabled user B . So, here user B should access his account or should not send message to anyone .

  4. Finally goto user B account(above opened tab) and here user B still can send message to anyone . Or can read any new incomming message . keep this tab open and user B can access his account and message even after account is disabled by admin .

ranjit-git avatar May 24 '21 10:05 ranjit-git

can you plz update the report status https://www.huntr.dev/bounties/3-other-papercups-io/papercups/ as it is a valid security bug?

ranjit-git avatar Jun 09 '21 14:06 ranjit-git

Is this bug fixed?

ranjit-git avatar Apr 01 '22 05:04 ranjit-git

its about a year but i see security bug is still open

ranjit-git avatar Apr 01 '22 05:04 ranjit-git