Listen to this Post
The vulnerability arises from inconsistent authorization logic between the Dashboard API and the REST API in StudioCMS. The Dashboard API correctly uses an index-based comparison of permission ranks (unknown, visitor, editor, admin, owner) to prevent a user from creating another user with a rank equal to or higher than their own. This blocks an admin (rank index 3) from creating another admin (index 3). However, the REST API endpoint for creating users (packages/studiocms/frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts) only performs string-based checks: it blocks creating an ‘owner’ account if the caller is not an owner, and blocks an admin from creating an owner. It does not block an admin from creating another admin. Consequently, an authenticated admin can use the REST API to create additional admin accounts, enabling privilege proliferation and persistence. The impact is limited by the requirement of admin access, but it allows a rogue admin to maintain access even after their original account is revoked. The fix involves replacing the string checks with the index-based comparison used in the Dashboard API.
dailycve form:
Platform: StudioCMS
Version: All versions
Vulnerability: Privilege escalation
Severity: Medium
Date: 2025-02-15
Prediction: Expected next release
What Undercode Say:
Analytics
The vulnerability has a CVSS v3 base score of approximately 4.4 (Medium) due to high privileges required but low complexity and no user interaction. It affects all installations using the affected REST API endpoint, potentially allowing attackers with admin access to create backdoor accounts. The issue is easy to exploit once admin access is obtained, increasing the risk of persistent unauthorized access.
Bash Commands and Codes
PoC curl command to create an additional admin via REST API:
curl -X POST 'http://localhost:4321/studiocms_api/rest/v1/secure/users' \
-H 'Authorization: Bearer <admin-api-token>' \
-H 'Content-Type: application/json' \
-d '{
"username": "rogue_admin",
"email": "[email protected]",
"displayname": "Rogue Admin",
"rank": "admin",
"password": "StrongP@ssw0rd123"
}'
Vulnerable code snippet (`secure.ts` lines 1365-1378):
if (newUserRank === 'owner' && rank !== 'owner') {
return yield new RestAPIError({ error: 'Unauthorized to create user with owner rank' });
}
if (rank === 'admin' && newUserRank === 'owner') {
return yield new RestAPIError({ error: 'Unauthorized to create user with owner rank' });
}
// Missing check for admin creating admin
Recommended fix (replacing with index-based comparison):
const availablePermissionRanks = ['unknown', 'visitor', 'editor', 'admin', 'owner'];
const callerPerm = availablePermissionRanks.indexOf(rank);
const targetPerm = availablePermissionRanks.indexOf(newUserRank);
if (targetPerm >= callerPerm) {
return yield new RestAPIError({ error: 'Unauthorized: insufficient permissions to assign target rank' });
}
how Exploit:
An attacker with admin-level API access can send a POST request to the REST API endpoint `/studiocms_api/rest/v1/secure/users` with a JSON payload containing "rank": "admin". The server will accept the request and create a new admin user because the vulnerable code does not prevent an admin from creating another admin. The attacker can then use the new admin credentials to maintain persistent access.
Protection from this CVE
Apply the official patch by replacing the string-based rank checks in `secure.ts` with the index-based comparison as shown in the recommended fix. If patching is not immediately possible, restrict access to the REST API endpoint to trusted networks or monitor logs for unusual user creation by admin accounts. Ensure that admin API tokens are rotated and access is audited.
Impact:
A compromised or malicious admin can create additional admin accounts, leading to privilege proliferation and persistence. These backdoor accounts survive password resets or token revocations, making it difficult to fully remove an attacker’s access. The vulnerability undermines the principle of least privilege and can facilitate long-term unauthorized control over the StudioCMS instance.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

