Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability exists in nova-toggle package versions before 1.3.0. The toggle endpoint at `POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}` was protected only by the `web` + `auth:is_admin, is_active, is_verified, or is_locked. Because the route lacked Nova’s internal authorization checks, a low-privileged user could flip administrative flags. The controller did not enforce the resource’s `authorizedToUpdate` policy nor validate that the attribute was a declared `Toggle` field. As a result, an authenticated attacker could escalate privileges, disable security features, or manipulate business-critical boolean fields. The issue is an authorization bypass leading to unauthorized data modification. The CVSS vector would likely be medium-to-high due to low complexity and partial integrity impact, but confidentiality remains unaffected.
dailycve form:
Platform: Laravel Nova
Version: <1.3.0
Vulnerability: Auth bypass toggle
Severity: Medium
date: 2023 (disclosed)
Prediction: Already patched (1.3.0)
What Undercode Say:
Check if vulnerable endpoint exists
curl -X POST https://target.com/nova-vendor/nova-toggle/toggle/users/1 \
-H "Cookie: laravel_session=..." \
-d "attribute=is_admin" -d "value=1"
Scan for boolean columns in target model
php artisan tinker --execute="dd((new App\Models\User)->getConnection()->getSchemaBuilder()->getColumnListing('users'))"
Monitor access logs for /nova-vendor/nova-toggle/toggle/
grep "POST /nova-vendor/nova-toggle/toggle" /var/log/nginx/access.log
Exploit:
Authenticate as any valid user (e.g., frontend customer). Send POST request to `/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}` with parameters `attribute=is_admin` and value=1. If the target model has a boolean `is_admin` column, the attacker toggles it to true, gaining admin privileges.
Protection from this CVE:
Update to nova-toggle 1.3.0 or higher. Alternatively, block the route via custom middleware that enforces `viewNova` gate:
Route::post('/nova-vendor/nova-toggle/toggle/')->middleware('can:viewNova');
Impact:
Any authenticated user (including customers) can flip arbitrary boolean fields on any Nova-managed model. This leads to privilege escalation, bypass of feature flags, and integrity loss of critical model states.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

