Authorization failure in multiple routes of the application.

[m3n0sd0n4ld]

Describe the bug
A malicious and unauthenticated user would be able to extract confidential and internal information from the application with Helpdesk Community 1.1.10.

• user names, email addresses, roles, etc...
• Module information, programs...

In addition, it has been proven that a malicious user would be able to register in the application with administrator role, managing to compromise the application.

To Reproduce
Steps to reproduce the behavior:
The remote and unauthenticated attacker only needs to know the endpoint of the application in question in order to extract the information without being properly authenticated.

The following is an example of several different points of the application:

Affected version

Registered user information

Departaments

Programs

In addition, it has been proven that the application is deficient in relevant files such as user registration or update, this would allow the remote attacker to register with malicious accounts and with high privileges (eg. administrator), or even perform escalation of privileges of accounts with lower roles.

Malicious account registration without authentication

Access with the malicious account and it is evident that he has administrator privileges of the application.

Expected behavior
The application should return a prohibition error due to lack of access, this message must be generic to avoid information leakage that could lead to an enumeration of users or other information.

[m3n0sd0n4ld]

Hi,

From INCIBE, they indicate me the following identifier CVE-2023-3037 reserved for this vulnerability, this will be effective as of 07/20/2023.

Best regards,