HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

不正确的属主授予

HomeBox 安全漏洞

HomeBox是SysAdmins Media开源的一个为家庭用户构建的库存和组织系统。 HomeBox 0.25.0之前版本存在安全漏洞，该漏洞源于defaultGroup ID在用户被邀请到组后永久分配，即使其访问权限被撤销，API也未正确验证，可能导致绕过访问控制。

N/A

N/A