IV83296: Privilege escalation vulnerability in builder tools


The TRIRIGA user is able to view or modify resources, and perform functions that they have not been authorized to, at various points throughout the application.

Steps to replicate:

  • 1. Login to the application with a user who has access to Workflow Builder.
  • 2. Navigate to edit a workflow. Copy the URL.
  • 3. Login with a user who does NOT have access to Workflow Builder.
  • 4. Adjust the security token in the copied URL and access the Workflow Builder with a non-authorized user.

In review of the failed pen test (penetration test), it seems this issue also exists for Reports (resolved), Lists, Globalization Manager, Currency Conversion, Portal Builder, and the UX Designers.

The TRIRIGA builder tools are vulnerable to privilege escalation. Moving forward, we fixed a privilege escalation vulnerability within the builder tools.

Continue reading

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s