Description

parentChapter permissions are not enforced during sort. Users with only book-update permissions on their own page can move their pages into restricted chapters via modifying the parentChapter id in the sortmap. Users do not need to have access to restricted books / chapter in order to perform this attack.

Proof of Concept

[{"id":"3","sort":0,"parentChapter":"5","type":"page","book":"3"}]

Attacker has update permissions on page ID 3 and book ID 3.
Attacker do not have any permissions on chapter ID 5

Sending the above sortmap will cause page ID 3 to be moved to chapter ID 5 bypassing permission checks

Impact

This vulnerability is capable of users with page-update and book-update permissions on any page and book can essentially create pages on any chapter on the application.