Authorization failure in multiple routes of the application.
m3n0sd0n4ld opened this issue · 1 comments
Describe the bug
A malicious and unauthenticated user would be able to extract confidential and internal information from the application with Helpdesk Community 1.1.10.
- user names, email addresses, roles, etc...
- Module information, programs...
In addition, it has been proven that a malicious user would be able to register in the application with administrator role, managing to compromise the application.
To Reproduce
Steps to reproduce the behavior:
The remote and unauthenticated attacker only needs to know the endpoint of the application in question in order to extract the information without being properly authenticated.
The following is an example of several different points of the application:
Affected version
Registered user information
Departaments
Programs
In addition, it has been proven that the application is deficient in relevant files such as user registration or update, this would allow the remote attacker to register with malicious accounts and with high privileges (eg. administrator), or even perform escalation of privileges of accounts with lower roles.
Malicious account registration without authentication
Access with the malicious account and it is evident that he has administrator privileges of the application.
Expected behavior
The application should return a prohibition error due to lack of access, this message must be generic to avoid information leakage that could lead to an enumeration of users or other information.
Hi,
From INCIBE, they indicate me the following identifier CVE-2023-3037 reserved for this vulnerability, this will be effective as of 07/20/2023.
Best regards,