Listen to this Post
The vulnerability exploits a missing authorization check on a specific endpoint (/dashboard/content-management/edit). While the endpoint verifies a user is authenticated via their session cookie, it fails to validate the user’s role permissions or the ownership of the requested content object (draft). The edit parameter accepts a UUID identifying a draft content item. The application retrieves the draft based solely on this UUID without confirming if the authenticated user has the necessary ‘Editor’ role or if they are the creator of the draft. Consequently, any authenticated user, including those with the lowest-privilege ‘Visitor’ role, can access any draft by simply guessing or discovering a valid UUID and appending it to the vulnerable endpoint URL in a direct request, leading to unauthorized information disclosure.
Platform: StudioCMS
Version: All versions
Vulnerability : Broken Object Authorization
Severity: Critical
date: 2023-11-09
Prediction: 2023-12-15
What Undercode Say:
Analytics
curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$' curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q"
Exploit:
1. Obtain valid session cookie.
2. Discover or guess draft UUID.
3. Directly request edit endpoint.
Protection from this CVE:
Implement proper authorization.
Check user role/ownership.
Validate object-level access.
Impact:
Information disclosure.
Privacy violation.
RBAC bypass.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

