Regular user can add InvitationConfig Page

SUBMISSION REFERENCES

• Submission code: XWIKI-GSMBP38G
• Submission URL: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-GSMBP38G

RESEARCHER INFORMATION

• Submitter: renniepak

SUBMISSION INFORMATION

• Created at: Sat, 12 Nov 2022 15:16:02 GMT
• Submission status: Archived

REPORT CONTENT

• Severity: Medium (4.3)
• Domain: https://intigriti.xwiki.com/ (Url)
• Proof of concept: Hi XWiki team,

I have found a weird issue where a regular user can create a InvitationConfig page although they don't have rights to create any pages. An additional consequence is that this page will show up in the Navigation bar. The user doesn't seem to control any specific characteristics of the Page (like title/path), nor can they delete/edit the created page.

1. 1. Reproduction

1. Login as a regular user and navigate to https://intigriti.xwiki.com/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.resultPage=Invitation.InvitationMemberActions

1. 1. Result

A new page is added which shows up in the Navigation: https://intigriti.xwiki.com/xwiki/bin/view/%24%7Bdoc/getSpace%28%29%7D/InvitationConfig

(This is how it will show up on the homepage https://intigriti.xwiki.com/xwiki/bin/view/Main/)

I also tried this on a local instance. When the admin deletes the created page, the regular user can simply recreate it by going to the same url.

• Impact: I'll admit the impact isn't huge, however this issue does impact the integrity of the application by creating page as a user who shouldn't be allowed to do so. Additionally, the admin isn't able to do anything about it except keep deleting the pages the user created (and of course ultimately blocking the user)
• Personal data involved: No
• Endpoint: http://0.0.0.0:8080/rest/liveData/sources/liveTable/entries?sourceParams.resultPage=Invitation.InvitationMemberActions
• Type: Improper Access Control (Generic)
• Attachments: Screenshot 2022-11-12 161406.png