Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privilege Escalation Vulnerability due to the session validation weakness #12

Open
tyhk opened this issue Jan 30, 2021 · 1 comment
Open

Comments

@tyhk
Copy link

tyhk commented Jan 30, 2021

Description: Privilege Escalation Vulnerability due to the session validation weakness

The Profile function in CuppaCMS before 31 Jan 2021 has a privilege escalation vulnerability due to the session validation weakness. Attacker could escalate their privilege to Super Admin by tampering the HTTP Request, then to obtain full control of the CuppaCMS.

** Proof of Concept**
Step 1: Access the profile function with a low privilege account
image

Step 2: Add the user_group_id_field as one of the POST parameter, and set the value to "1"
Original Request
image
Edited Request: added the "user_group_id_field" parameter as highlighted
image
Response: 2 means successfully updated the record
image

Step 3: Re-login the account, and obtained super admin privilege
image

@tyhk
Copy link
Author

tyhk commented Dec 13, 2021

Assigned CVE-2021-3376.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant