Chartbrew v5 Access Control & Data Exposure Fixes

### Vulnerability Overview - **Vulnerability Name**: Not explicitly specified; however, it involves multiple security-related improvements and fixes. - **Vulnerability Description**: - **Invitation Token Validation**: Added invitation token checks in the `/invited` route and related invitation/registration flows. - **Refined Access Control**: Adjusted role and query builder permissions, enabling project administrators to correctly operate on labeled datasets. - **Labeled Dataset Editing Restrictions**: Prevented project access users from editing labeled datasets outside their permitted scope. - **Report Access Hardening**: Blocked users within the same team from accessing reports they do not have permission to view by guessing report names. - **Shared Policy Refresh Protection**: Ensured that `allowReportRefresh` cannot bypass shared policy tokens or report passwords. - **Shared Policy Permissions**: Prevented team members from editing shared policies for projects they do not have access to. - **Hidden Chart Protection**: Fixed an issue where hidden charts in public reports could still be accessed if the chart ID was known. ### Impact Scope - **Affected Users**: All users of Chartbrew v5, particularly those involved in invitations, registration, dataset editing, report access, and shared policy management. - **Affected Functions**: Key functions such as invitation token validation, access control, dataset editing, report access, and shared policy management. ### Remediation - **Invitation Token Validation**: Added invitation token checks in the `/invited` route and related flows. - **Refined Access Control**: Adjusted role and query builder permissions to ensure project administrators can correctly operate on labeled datasets. - **Labeled Dataset Editing Restrictions**: Implemented restrictions to prevent project access users from editing labeled datasets beyond their allowed scope. - **Report Access Hardening**: Blocked users within the same team from accessing reports they lack permission to view by guessing report names. - **Shared Policy Refresh Protection**: Ensured that `allowReportRefresh` cannot bypass shared policy tokens or report passwords. - **Shared Policy Permissions**: Prevented team members from editing shared policies for projects they do not have access to. - **Hidden Chart Protection**: Fixed the issue where hidden charts in public reports could still be accessed if the chart ID was known. ### POC Code or Exploit Code - No specific POC code or exploit code was included in the page.

Goal Reached Thanks to every supporter — we hit 100%!

Chartbrew v5 Access Control & Data Exposure Fixes

More from this source