A Team Representative, can add users with email that belongs to another organisation - Bug report

cerebrate-project / cerebrate

Cerebrate is an open-source platform meant to act as a trusted contact information provider and interconnection orchestrator for other security tools.

https://www.cerebrate-project.org/

GNU Affero General Public License v3.0

82 stars 16 forks source link

A Team Representative, can add users with email that belongs to another organisation - Bug report #143

Closed amicaross closed 1 year ago

amicaross commented 1 year ago

Priority: Low A Team representative from ORG-A (e.g. user@org-a ) should not be able to add users with an email that belongs to ORG-B domain (e.g. user@org-b)

iglocska commented 1 year ago

This is somewhat tricky to enforce as domains are not directly tied to an organisation. For example, certain teams might have multiple domains used for e-mail addresses (in the case of CIRCL, it could be @lhc.lu for example).

Either way, the potential impact would be a team-rep disclosing their own organisation to a third party, so the potential damage with misuse is simply self-harm.

However, please feel free to re-open the issue if you see any other potential issues / solutions with this.