$800 Bounty: Privilege Escalation via API — From Scheduler to Team Admin

$800 Bounty: Privilege Escalation via API — From Scheduler to Team Admin
嗯，用户让我用中文帮他总结一篇文章的内容，控制在100字以内，而且不需要用“文章内容总结”或者“这篇文章”这样的开头，直接写描述。好的，我先看看用户提供的文章内容。文章讲的是一个安全研究人员发现了一个SaaS平台ExampleCenter的漏洞，具体是Broken Access Control和Privilege Escalation。他提到一个低权限的用户（Scheduler角色）通过直接调用API，可以执行编辑级别的管理操作。因此他获得了700美元的漏洞赏金和100美元的额外奖金。我需要把这些信息浓缩到100字以内。首先，确定主要元素：SaaS平台、漏洞类型、角色、API滥用、赏金金额。然后组织语言，确保简洁明了。可能的结构是：研究人员发现ExampleCenter中的Broken Access Control和Privilege Escalation漏洞，允许Scheduler角色通过API执行编辑权限的操作，获得700美元赏金和100美元额外奖励。检查一下字数，确保不超过限制。看起来没问题。 </think> 研究人员发现SaaS平台ExampleCenter存在Broken Access Control和Privilege Escalation漏洞，允许低权限Scheduler角色通过直接API调用执行编辑级别管理操作，并因此获得$700赏金及$100额外奖励。 2026-4-23 06:3:15 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏

Hi Everyone! I recently discovered a Broken Access Control / Privilege Escalation vulnerability in a SaaS platform (ExampleCenter) that allowed a low-privileged user (Scheduler role) to perform editor-level administrative actions via direct API calls.

For this discovery, I was awarded a $700 bounty along with a $100 bonus for retesting. Let’s explore how this bug worked, how I exploited it, and why it was important.

Press enter or click to view image in full size

Understanding the Target

ExampleCenter is a SaaS platform used for managing teams, scheduling, and workflows within organizations. It follows a role-based access control model:

Editors/Admins → Can manage teams, structure, and permissions
Schedulers → Can only assign people to existing teams

To maintain proper security boundaries, only Editors and Admin should be able to:

Create teams
Copy teams
Assign team leaders
Modify team configurations

The UI correctly enforces this restriction by displaying:

“Only editors can create teams.”

文章来源: https://infosecwriteups.com/800-bounty-privilege-escalation-via-api-from-scheduler-to-team-admin-810bb8401a0f?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh