# Vulnerability Summary: Unauthorized Access to Project Dashboard Data in Chartbrew ## Vulnerability Overview In the `chartbrew` project, there is a legacy dashboard route located at `/api/project/dashboard/:brewName`. This route suffers from a **horizontal privilege escalation** vulnerability (Same-team override). - **Cause**: The route only verifies that the requester belongs to the same team (`TeamRole`) but **fails to verify** whether the requester has permission to access the specific project (i.e., it does not check `teamRole.projects.includes(project.id)`). - **Impact**: Any authenticated low-privilege user within the same team can read dashboard data from other projects, provided they know the target project's `brewName`. This allows them to obtain **plaintext report passwords** stored within the project. ## Scope of Impact - **Affected Version**: 4.9.0 - **Fixed Version**: v5.0.0 - **Severity**: Moderate (CVSS v3 Base Score: 6.5/10) - **Attack Vector**: Network - **Confidentiality Impact**: High ## Remediation Upgrade to version **v5.0.0** or later. ## Vulnerable Code Path **File 1: `server/api/ProjectRoute.js`** ```javascript // server/api/ProjectRoute.js app.get("/project/dashboard/:brewName", getIssuerFromToken, async (req, res) => { const project = await projectController.getPublicDashboard(req.params.brewName); processedProject = _.omitBy(project, (project) => { processedProject.setDataValue("password", ""); }); if (req.user) { const teamRole = await teamController.getTeamRole(project.team_id, req.user.id); if (teamRole && teamRole.role) { return res.status(200).send(project); } } }); ``` **File 2: `server/controllers/ProjectController.js`** ```javascript // server/controllers/ProjectController.js getPublicDashboard(brewName) { return db.Project.findOne({ where: { brewName }, include: [{ model: db.Chart, where: { onReport: true } }, { model: db.SharePolicy }], }); } ``` ## Proof of Concept (PoC) **Prerequisites**: - The attacker and the victim belong to the same team. - The attacker knows or can guess the victim's `brewName`. **PoC Code**: ```http GET /api/project/dashboard/sales_dashboard_42 HTTP/1.1 Authorization: Bearer ``` **Expected Result**: The server returns the victim's dashboard data, including charts, dashboard filters, share policy data, and the **original report password** (in plaintext).