CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
14.7%
At the top level every collection shows blank items for an Author if they did not create the item. This is ideal and works great. However if you associate one private collection to another private collection and an Author creates a new item. The pull down should not show the admins list of previously created items. It should be blank unitl they add their own items.
Security vulnerability where authors have access to protected data created by admin. This could be passwords emails or any other item created for the admin’s collection.
See images below for more context
Permissions set
Good at top level no items seen
Drop down in Author login can see Admin data
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
14.7%