- What is your product version? 9.0.1
- What is your product type (Angular or MVC)? Angular
- What is product framework type (.net framework or .net core)? .NET Core
We logged into a specific tenant with swaggerUI and we noticed we were able to access certain information from (TenantId) from another tenant knowing the tenants name For the specific example we found it was the very first method: /api/services/app/Account/IsTenantAvailable, using a known tenant the API was able to return state, TenantId, and server address
We were also able to query how many tenants were active on specific editions so a user could gain access to internal information
Has there been an audit conducted to identify how many tenant-to-tenant identifiable information concerns there may be? I was able to see penetration testing on the FAQ section, but that was geared more towards external/server access and not to items like tenant metadata being exposed
1 Answer(s)
-
0
Hi @smry
Unfortunately, we don't keep such an information but we hide information related to security about tenants.
IsTenantAvailable
is an endpoint which doesn't require authentication. If you have specific endpoints which concerns you, we can explain it for you.You can also check app services which doesn't have Authorize attribute.