Application Description

Winningtemp is a solution provided by Winningtemp AB that is designed to measure employee engagement and well-being. It enables organisations to address employee concerns and allow for continuous improvement by leveraging recurring anonymous feedback.

Summary

Winningtemp’s JavaScript frontend will dynamically reveal features based on the user’s permissions and the organisation’s configuration. Since this is done on the user’s side, an adversary could simply tell their web browser that they are allowed to access everything.

The backend does have some restrictions in place, but not for all features. An adversary could for example create new groups and schedule those groups to take part in “temperature meetings” (sv. temperaturmöte).

Severity Scoring

Medium (5.3) CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

An authenticated adversary is able to impact the integrity of the data by executing functions that should not be accessible to them.

Technical Details

  1. Log on to Winningtemp as a regular user.
  2. Automatically replace “false” with “true” in the body of all HTTP responses.
  3. Reload the page and note that additional options are available. The pop-up windows cannot be dismissed; the frontend will fail as the backend endpoints are no longer available. Remove the DOM elements associated with the pop-up windows to continue.

Winningtemp Missing Function Access Control

  1. Explore the additional views. Note that temperature meetings at /UserTempMeeting are now accessible (accessing via URL directly prior to step 2 will result in a redirect to /Overview).
  2. Opt to create a meeting (sv. “Skapa möte”) and follow the steps to create a temperature meeting.
  3. A particular team is needed to create the meeting. Note how it is possible to create a new team of out of existing co-workers.
  4. While the meeting is created, it does not appear to be possible to join the meeting once it starts.

The views expose additional functions in addition to the temperature meetings.

Vulnerability Disclosure Timeline

2024-06-07 - Discovered, asked vendor for preferred way of disclosure.
2024-06-10 - Vendor replies. Issue disclosed to vendor.
2024-06-20 - Asked vendor for an update.
2024-06-26 - Vendor confirms that the issue is resolved.
2024-06-28 - Publicly disclosed.