Broken session control leads to access the admin panel even after revoking the access!! — #ZOHO

Hey Guy’s

Every IT Guy Know about the Zoho people plus, it is mostly used by the employees in the companies. Recently i found a vulnerability in Zoho people plus, the interesting thing is even after revoking the admin access, a user can still able to make changes on the Zoho people plus as a admin. All these changes are getting effected.

For example:

Let’s assume a scenario that the HR team by mistakenly or purposely giving admin access or any other role to the specific person in an organization. After sometime the HR team is revoking the access to that particular person, then also the user can able to access the admin features. They can change anything they want inside the admin panel and can perform all action that an admin can. The reason behind this issue is, After revoking access, here it is not checking whether the user is properly authorized for doing such action or not and the assigned token is not expiring after revoking the access.

Final POC Video:

Fix Status : Fixed

Reward: After panel meet… :)

So see y’all in a new write-up soon guys !!

Thanks for reading !!

Make sure to follow me on Twitter ;)





Red teamer, Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Attackers/Fraudsters Never Retires, They Just Evolves — Uncovering a Scheduled Russian SCAM

XT.COM Will List CROGE(CrogeCoin) and Open Its Trading

{UPDATE} 戰國時代OL Hack Free Resources Generator

Synthetic ID Fraud — Causes, Identification & Prevention

{UPDATE} QUIZDOM - Kings of Quiz Hack Free Resources Generator

#Cryptocoach Day 73

{UPDATE} Canba Hack Free Resources Generator

Zenlink partnered with Patract and joined the Patract Open Platform

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Red teamer, Security Researcher

More from Medium

CVE Program Report for Q4 Calendar Year 2021

( Case: SOC169 — Possible IDOR Attack Detected

DC-2 — VulnHub

DCG 201 Online CTF — JerseyCTF II — April 9th-10th