Executive Summary

This vulnerability exists in the People application, which manages users, teams, and permissions within La Suite. Before version 1.25.0, an attacker with the Administrator role on a mail domain could send a specially crafted invitation request to promote any existing user, even those without current domain access, to the Owner role. This promotion happens immediately upon a single authenticated HTTP request and does not require any acceptance from the targeted user.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker with Administrator privileges on a mail domain to escalate privileges by promoting any user to the Owner role without consent. This results in the attacker or a chosen user gaining full ownership of the domain, potentially leading to unauthorized control over domain resources and permissions.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade the People application to version 1.25.0 or later, where the issue has been patched.

Additionally, review and restrict Administrator role assignments on mail domains to trusted users only, as the exploit requires an authenticated Administrator.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker with Administrator privileges on a mail domain to escalate any existing user to the Owner role without consent, granting full domain ownership immediately. This unauthorized privilege escalation could lead to improper access control and potential misuse or exposure of sensitive data.

Such unauthorized access and control over user roles and domain ownership may violate compliance requirements in standards like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.

However, the provided context does not explicitly discuss the impact on compliance with these or other regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious authenticated HTTP requests that create invitations with elevated roles, especially those promoting users to the Owner role without proper authorization.

Specifically, detection involves inspecting requests to the MailDomainInvitationViewset.create() API endpoint for crafted invitation payloads that assign Owner roles to existing users.

Suggested commands include using network traffic inspection tools like curl or HTTP request logging to identify such requests. For example, you can use curl to simulate or detect suspicious requests:

• curl -v -X POST https://your-people-instance/api/maildomaininvitations/ -H 'Authorization: Bearer <token>' -d '{"email": "[email protected]", "role": "OWNER"}'

Additionally, review application logs for invitation creation events where the role assigned is Owner and verify if the requester had sufficient privileges to grant that role.

Useful 0 Not Useful 0