关键漏洞信息 漏洞标题 Unauthorized access to private project security dashboard 漏洞描述 Summary: User with guest permissions can't view security dashboard of the private project. However, this is not applied when user permission changes from maintainer to guest. As a result, if user was previously a maintainer in the project he/she can add the project to their security dashboard and when their access levels decreases to guest, they can still view new security vulnerabilities result found in the project through their security dashboard. Steps to reproduce: - User A creates a private project & adds User B as maintainer. - User B adds project in the security dashboard. - User A reduces User B’s permission to guest. - User B can see security dashboard. Impact: The impact is very high as malicious user can exploit the vulnerabilities. 漏洞标签 Labels: - Category:Vulnerability Management - HackerOne - backend - devops - security dashboard - priority:3 - severity:3 - type:bug 其他信息 Status: Complete Due Date: July 19, 2020 Priority: 3 Severity: 3