The TRIRIGA user is able to view or modify resources, and perform functions that they have not been authorized to, at various points throughout the application.
Steps to replicate:
- 1. Login to the application with a user who has access to Workflow Builder.
- 2. Navigate to edit a workflow. Copy the URL.
- 3. Login with a user who does NOT have access to Workflow Builder.
- 4. Adjust the security token in the copied URL and access the Workflow Builder with a non-authorized user.
In review of the failed pen test (penetration test), it seems this issue also exists for Reports (resolved), Lists, Globalization Manager, Currency Conversion, Portal Builder, and the UX Designers.
The TRIRIGA builder tools are vulnerable to privilege escalation. Moving forward, we fixed a privilege escalation vulnerability within the builder tools.